Skillv0.1.0

ClawScan security

Garmin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 10:18 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (fetch Garmin data via garminconnect and 1Password), but its manifest and instructions are inconsistent about required credentials and it invokes other skill scripts and writes files — the missing declared env vars and cross-skill execution are worth caution.
Guidance: Things to check before installing: - Metadata mismatch: the registry says "no required env vars" but the scripts require OP_SERVICE_ACCOUNT_TOKEN and (optionally) GARMIN_1P_ITEM_NAME / GARMIN_1P_VAULT. Expect to provide a 1Password service account token and a Login item for your Garmin account. - 1Password token scope: the skill uses the op CLI with a service account token. Ensure that token is least-privilege and that you trust the environment where it will run — a service token can read items in the vault it has access to. - Inspect and trust garminconnect: the Python library performs login and session dumping (client.garth.dump) — review what session files are created in /tmp/garmin-session/ and decide whether temporary caching is acceptable. - File writes and cross-skill calls: the skill caches data under /root/clawd/data/fitness/garmin/ and invokes /root/clawd/skills/strava/scripts/training-summary.sh. Confirm those paths and ownerships are acceptable and that calling another skill's script is intended. - Virtualenv & install: create and use an isolated virtualenv as recommended (avoid pip with --break-system-packages unless you understand its effect on your OS). Verify Python version/path assumptions (the script inserts a python3.12 site-packages path). If you want to proceed: create a dedicated 1Password Login item for Garmin, limit the service-account token's vault access, run the skill in an isolated environment, and manually review the garminconnect library and the session/cache directories after first run. If you want metadata fixed: ask the publisher to declare OP_SERVICE_ACCOUNT_TOKEN and GARMIN_1P_* in requires.env and to document the exact files and paths the skill will write/read.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md match the stated purpose: they use the garminconnect library and 1Password to fetch Garmin credentials and produce fitness metrics. However the skill metadata claims no required environment variables or primary credential even though the scripts clearly require OP_SERVICE_ACCOUNT_TOKEN and a 1Password item (GARMIN_1P_ITEM_NAME / GARMIN_1P_VAULT). That mismatch between declared requirements and actual runtime needs is an incoherence.
Instruction Scope: concernRuntime scripts read 1Password via the op CLI (subprocess calls), attempt to read ~/.config/op/service-account-token, set GARMIN_EMAIL/PASSWORD into environment for Python, log in to Garmin, dump session files into /tmp/garmin-session/, and cache JSON under /root/clawd/data/fitness/garmin/. The morning summary script also invokes another skill's script (/root/clawd/skills/strava/scripts/training-summary.sh). These actions go beyond simple API calls and include cross-skill invocation, local file writes, and reading local 1Password service-account tokens — all of which should be explicit in the skill metadata/instructions.
Install Mechanism: noteThere is no formal install spec (instruction-only), which is low-risk in principle. The SKILL.md recommends pip install garminconnect and creating a venv; scripts assume a venv at ./venv and a Python 3.12 site-packages path. The pip recommendation includes --break-system-packages (an unusual flag) which may be inappropriate on some systems. No remote downloads or archive extractions are present in the skill files.
Credentials: concernThe skill requires access to a 1Password service account token (OP_SERVICE_ACCOUNT_TOKEN) and a 1Password Login item containing the Garmin email/password, which is proportional to logging into Garmin but was not declared in the registry metadata. The skill also reads ~/.config/op/service-account-token if OP_SERVICE_ACCOUNT_TOKEN is not set. Asking for service-account-level 1Password access is powerful — verify the token's scope and consider using a least-privilege credential. No other unrelated credentials are requested.
Persistence & Privilege: noteThe skill writes session tokens to /tmp/garmin-session/ and caches daily JSON in /root/clawd/data/fitness/garmin/. It does not set always:true or modify other skills' configuration, but it does call another skill's script by absolute path. Persistent files and cross-skill invocation increase blast radius and should be reviewed, but they are consistent with caching and generating summaries.