Garmin Cli
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: garmin-cli Version: 1.0.5 The skill is suspicious due to its reliance on an external Homebrew tap (`voydz/homebrew-tap`) and package (`garmin-cli`) for its core functionality, as instructed in `SKILL.md`. This introduces a supply chain vulnerability, as the integrity of the `garmin-cli` binary and its distribution channel cannot be guaranteed by the skill bundle itself. Additionally, the `gc login` command, also documented in `SKILL.md`, involves passing user credentials directly on the command line, which can be a security risk depending on the execution environment and logging practices.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the external CLI gives that package code access to run locally and handle Garmin login flows.
The setup relies on an external Homebrew tap and package that are not included in the reviewed artifacts. This is disclosed and central to the skill, but users should verify the package source before installing.
brew tap voydz/homebrew-tap brew install garmin-cli
Verify the Homebrew tap and package provenance before installing, and keep the CLI updated from a trusted source.
Anyone or any agent using the authenticated CLI may be able to access personal Garmin health, fitness, device, activity, workout, and profile information.
The skill requires Garmin account credentials and possibly MFA to access account health and fitness data. This is expected for Garmin Connect access, but it is sensitive account authority.
gc login --email EMAIL --password PASS [--mfa CODE | --wait-mfa]
Only use this skill on a trusted machine, avoid exposing passwords in logs or shared shell history, and log out when the integration is no longer needed.
If invoked with the wrong arguments, the agent could change or delete Garmin workout data or upload activity files to the account.
The command catalog includes Garmin account mutation operations, including uploading activities and creating, updating, or deleting workouts. These are disclosed CLI capabilities, not hidden behavior.
gc activities upload FILE # .fit, .gpx, .tcx ... gc workouts create --file workout.json ... gc workouts update WORKOUT_ID --file workout.json ... gc workouts delete WORKOUT_ID
Require explicit user confirmation before running upload, create, update, or delete commands, and review IDs and file paths carefully.