ClawHub

Garmin Cli

Security checks across malware telemetry and agentic risk

Overview

This Garmin skill mostly documents a CLI, but it needs Review because it gives an agent broad Garmin account-changing and raw API abilities without clear safeguards.

Install only if you trust the external garmin-cli Homebrew package and are comfortable granting it Garmin account access. Avoid putting your Garmin password or MFA code directly in commands, logs, or shared agent transcripts. Require explicit approval before any upload, workout create/update/delete, file output, or raw API POST command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest frames the skill as read-only access to Garmin Connect data, but the documented commands also permit state-changing actions such as uploads, workout creation/update/deletion, and arbitrary POST requests. This capability mismatch can mislead users or higher-level agents into invoking destructive or unintended operations under the assumption that the skill only reads data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The raw `gc api` interface exposes a broad, effectively arbitrary backend API surface that exceeds the narrowly described health/activity access use case. This greatly increases attack surface because an agent or user can reach undocumented endpoints and perform unintended reads or writes, including sensitive account or health-data operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication examples instruct users to pass email, password, and MFA code directly on the command line, which can expose secrets via shell history, process listings, logs, or agent transcripts. In a tool-mediated environment, these examples normalize insecure secret handling and increase the chance of credential leakage.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The raw API POST examples encourage arbitrary request bodies without warning that they may transmit or modify highly sensitive health and account data. In this skill context, the absence of guardrails is more dangerous because Garmin data includes intimate personal and biometric information, and POST requests may change remote state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented workout create, update, and delete commands are mutating operations, but the skill provides them without warnings about modifying or permanently removing user data. In an agent setting, this increases the likelihood of accidental remote changes because the overall skill is presented primarily as data access rather than account modification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal