Garmin
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Garmin integration is purpose-aligned, but it handles password-vault credentials and persists Garmin session/health data with incomplete declaration and weak retention controls.
Review carefully before installing. Only use this if you are comfortable letting the skill access Garmin credentials through 1Password and read sensitive health metrics. Restrict the 1Password service-account token to the Garmin item, use a virtual environment with pinned dependencies, secure or periodically delete `/tmp/garmin-session/`, and decide whether local caching under `/root/clawd/data/fitness/garmin/` is acceptable.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill gives it access to Garmin account credentials via 1Password and may leave reusable Garmin session tokens on disk.
The script automatically reads a local 1Password service-account token, reveals the Garmin password, and writes Garmin session tokens. That credential/session authority is high-impact and is not reflected in the registry's declared credential or environment requirements.
export OP_SERVICE_ACCOUNT_TOKEN="${OP_SERVICE_ACCOUNT_TOKEN:-$(cat ~/.config/op/service-account-token 2>/dev/null)}"
EMAIL=$(op item get "$GARMIN_1P_ITEM_NAME" --vault "$GARMIN_1P_VAULT" --fields username 2>/dev/null)
PASSWORD=$(op item get "$GARMIN_1P_ITEM_NAME" --vault "$GARMIN_1P_VAULT" --fields password --reveal 2>/dev/null)
...
client.garth.dump(dir_path='/tmp/garmin-session/')Declare the required 1Password/Garmin credentials, restrict the 1Password service account to only the Garmin item, store session tokens in a private directory with restrictive permissions, and add explicit cleanup or expiration guidance.
Sensitive fitness and health information may remain available to the local system or future agent runs after the original query.
The skill can persist daily Garmin health metrics, including sleep, stress, heart-rate, and recovery data, as dated local JSON files. This is related to the skill purpose, but the artifacts do not define retention, encryption, or cleanup.
CACHE_DIR="${GARMIN_CACHE_DIR:-/root/clawd/data/fitness/garmin}"
CACHE_FILE="$CACHE_DIR/$TODAY.json"
...
echo "$CACHED" > "$CACHE_FILE"Make caching opt-in, document retention clearly, use restrictive file permissions, and provide a cleanup command for cached health data.
The installed package version may change over time, and the system Python environment could be affected if the non-venv command is used.
The skill asks the user to install an unpinned third-party Python package and even shows a system-package-breaking install option. This is central to the Garmin integration, but it increases dependency and local environment risk.
pip3 install garminconnect --break-system-packages # Or using a virtual environment (recommended): # python3 -m venv ./venv
Prefer the virtual environment path, pin dependency versions, and avoid `--break-system-packages` unless the user explicitly accepts the system-level impact.
The Garmin skill's output can depend on another local skill whose behavior is outside this review.
The morning summary runs a hard-coded script from a separate Strava skill that is not included in this artifact set. The Strava integration is described in SKILL.md, but the dependency is not declared in metadata.
STRAVA=$(/root/clawd/skills/strava/scripts/training-summary.sh 2>/dev/null || true)
Declare the Strava dependency explicitly and review the referenced Strava skill before relying on combined morning summaries.