Garmin

Security checks across malware telemetry and agentic risk

Overview

This Garmin skill is purpose-aligned for fetching fitness data, with a local session-cache risk users should manage.

Install only if you are comfortable granting the skill access to a dedicated Garmin 1Password item. Prefer a virtual environment for dependencies, restrict the 1Password token to the needed vault/item, and secure or delete /tmp/garmin-session after use on shared systems.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script handles highly sensitive credentials and persists authenticated session material to `/tmp/garmin-session` without warning the user or setting restrictive permissions. On multi-user systems or developer workstations, writing tokens/cookies to a predictable temporary path can expose session artifacts to other local processes or users and increase the chance of accidental disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal