Back to skill

Security audit

Garmin Connect

Security checks across malware telemetry and agentic risk

Overview

This Garmin health-data skill has useful, mostly purpose-related features, but it needs review because it weakly stores Garmin credentials and includes under-scoped Feishu/webhook sharing of sensitive health reports.

Install only after reviewing the Feishu/webhook scripts, daemon/timer behavior, and local storage paths. Avoid using the password-on-command-line examples, treat ~/.garth/session.json and ~/.clawdbot/garmin/data.db as highly sensitive, remove or rotate the embedded Feishu credentials, and disable outbound reports unless you explicitly want Garmin health summaries sent to that destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (30)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
if not script_path.exists():
            return f"❌ 脚本不存在:{script_path}"

        result = os.popen(f'python3 {script_path}').read()

        if not result:
            return "❌ 暂无数据"
Confidence
93% confidence
Finding
result = os.popen(f'python3 {script_path}').read()

Tainted flow: 'data' from input (line 71, user input) → requests.post (network output)

Medium
Category
Data Flow
Content
}

        try:
            response = requests.post(url, headers=headers, json=data, timeout=10)
            result = response.json()

            if result.get("code") == 0:
Confidence
91% confidence
Finding
response = requests.post(url, headers=headers, json=data, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that include reading and writing local files, making network requests, and invoking shell commands, yet no permissions are declared. This creates a transparency and consent problem: a host or reviewer cannot accurately constrain or assess what the skill is allowed to do, increasing the chance of over-privileged execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior extends well beyond the declared Garmin sync purpose into Feishu messaging, local message queuing, background daemon management, and mentions hardcoded default Feishu App ID/App Secret values. Undocumented outbound reporting and embedded credentials materially raise the risk of covert data exfiltration and secret misuse, especially because the skill handles sensitive health data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script transmits sensitive health-derived content outside the stated Garmin sync/storage scope by queuing reports for Feishu delivery. Even though it only writes to a local queue file here, the clear purpose is onward sharing of personal health data to another service, which creates an unauthorized data-flow expansion and privacy risk if users did not explicitly consent to messaging/export behavior.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file adds proactive Feishu messaging of health reports, which is not described in the skill metadata that only mentions Garmin OAuth sync and SQLite storage. This capability expands the data-sharing surface and could surprise users by exfiltrating personal health data to an external messaging platform.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The interactive setup provisions Feishu credentials and enables external messaging even though that capability is not justified by the declared Garmin integration purpose. In context, this broadens the skill from data sync/storage into outbound dissemination of health information, which materially increases privacy and abuse risk.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The setup prompts imply the user is entering their own Feishu App ID and Secret, but silently substitutes hardcoded credentials when the fields are left blank. This is dangerous because it can cause users to unknowingly operate under embedded third-party credentials, enabling unauthorized message sending, credential misuse, or hidden data routing under someone else's app.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script expands the skill beyond Garmin sync/storage by reading separate Feishu credentials and transmitting derived health data to Feishu or persisting it to a local alert file. That creates an unexpected data flow for sensitive health information and increases the attack surface because users of a Garmin integration would not reasonably expect secondary messaging integration or local report dumping.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The Garmin reporting script accesses a separate local Feishu credential file, which is unrelated to the declared Garmin integration scope and enables cross-service secret use. This is dangerous because it couples sensitive health processing with another application's credentials, making unintended exfiltration or credential misuse easier if the script is run in an automated context.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This code transmits Garmin-derived health summaries to Feishu, which expands the skill from local sync/storage into third-party data disclosure. That matters because the data includes sensitive personal health information and the transfer occurs through a webhook mechanism not described in the manifest, reducing user visibility and informed consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The setup flow adds a Feishu webhook integration that is outside the stated Garmin sync/storage purpose, creating an undisclosed external exfiltration path for sensitive fitness and sleep data. Hidden or under-documented data-sharing features are dangerous because users may enable them without understanding that private health summaries will leave the local system.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The script claims credentials are saved securely, but it only base64-encodes the password before writing it to disk. Base64 is trivially reversible, so anyone with access to the file can recover the Garmin password, and the misleading wording may cause users to underestimate the risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script aggregates a much broader set of sensitive biometric and health telemetry than the skill description suggests, including sleep, HRV, respiration, body battery, stress, fitness age, and lactate-threshold data. This is a real data-minimization and transparency problem: users or downstream systems may authorize or invoke the skill expecting limited fitness sync, while the code exfiltrates or stores significantly more sensitive health data than disclosed.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The docstring implies use of saved credentials/session state, but the code actually loads a locally stored email and reversibly encoded password from ~/.garth/session.json and performs a fresh login. This discrepancy matters because base64 is not encryption, and the behavior increases credential exposure and surprises operators who may believe only a session token is reused.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This router does more than classify Garmin-related queries: it executes local Python programs as a side effect. In a skill context, that expands the attack surface from simple data retrieval to arbitrary local code execution through whichever scripts are present in the configured directory, making the overall design more dangerous if those files are replaced, tampered with, or unexpectedly privileged.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script launches a hard-coded local Python interpreter and executes a separate local script via subprocess during initialization. This expands the trust boundary and creates a supply-chain/local-tampering risk: if that interpreter path, virtualenv, or init_db.py is modified, the sync process will execute unintended code with the user's privileges.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README suggests natural-language trigger phrases such as asking about sleep, steps, or workouts without any indication of namespacing, confirmation, or intent disambiguation. In a conversational agent, broad triggers that overlap with ordinary chat can cause the skill to activate unexpectedly and expose or act on sensitive health data when the user did not explicitly intend to invoke this integration.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The README documents synchronization and local storage of sensitive health data along with persisted authentication session material, but provides no warning about privacy, filesystem permissions, credential handling, or retention. In this context, health metrics and OAuth session artifacts are sensitive, so omission of security guidance increases the chance that users will store or expose private data insecurely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to pass their email and password directly on the command line. Command-line arguments are commonly exposed through shell history, process listings, logs, and monitoring tools, which can leak Garmin credentials to other local users or administrators.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes health report contents, including sleep, heart rate, steps, calories, and workout details, into a persistent local queue file without any consent prompt, retention control, or access restriction visible in the code. This increases exposure of sensitive personal data to other local users, backup systems, or unrelated processes that can read the file.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded Feishu App Secret is embedded in the script and then written into a local config file, creating direct secret exposure and persistence. Anyone with source access or a copied config can use the secret to obtain tokens and act as the Feishu app, and the problem is especially serious because the script handles personal health notifications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script transmits health-related content such as sleep, heart rate, calories, and workouts to an external service without a prominent warning or explicit informed consent at send time. Because this data is sensitive and the skill description does not advertise external sharing, users may not understand that personal health information is leaving the local Garmin integration context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends detailed health summaries to a webhook or writes them to a persistent local file without any user-facing notice, consent, minimization, or retention policy. Because the content includes sensitive health and activity information, unauthorized disclosure could expose private medical or lifestyle data to other services, local users, backups, or logs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script automatically sends a generated report containing sleep, heart-rate, steps, calories, and workout information to an external webhook without a send-time warning or confirmation. Because this is sensitive health-related data, silent transmission increases privacy risk, especially if the webhook points to a group chat, wrong tenant, or compromised endpoint.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.