Back to skill

Security audit

Garmin Cli

Security checks across malware telemetry and agentic risk

Overview

This Garmin skill is not malicious, but it needs Review because it gives broad access to sensitive Garmin data and remote account-changing commands without enough warnings or scoping.

Install only if you trust the external garmin-cli package and are comfortable giving it Garmin account access. Avoid placing your Garmin password or MFA code in prompts, shell history, scripts, logs, or transcripts. Require explicit approval before any upload, workout create/update/delete, file output containing sensitive data, or raw API POST command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest and top-level description frame the skill as read-only access to Garmin Connect data, but the documented commands also allow creating, updating, deleting, and uploading remote resources. That scope mismatch is dangerous because an agent or user may authorize or invoke the skill under the assumption it is observational, when it can in fact modify account state.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is presented as data access, but it documents activity uploads and a raw API interface that supports arbitrary POST requests. This materially expands capability from passive retrieval to unrestricted account mutation or data submission, which is especially risky because the raw API surface may reach undocumented or sensitive Garmin endpoints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication examples instruct users to pass email, password, and MFA codes directly on the command line, which can expose secrets via shell history, process listings, logs, or agent transcripts. In an agent context this is more dangerous because credentials may be captured in conversation history or execution telemetry.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill handles highly sensitive personal data, including health, reproductive, and activity information, but provides no privacy or data-handling warning. This increases the risk that users or agents will retrieve, store, or transmit sensitive data without appropriate minimization, consent, or retention controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented workout create, update, and delete commands modify remote user data but are presented without any warning or confirmation guidance. In an agent setting, this can lead to accidental state changes, destructive actions, or unexpected modification of a user's training plans.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The raw API examples include arbitrary POST requests without warning that they may transmit, alter, or delete account data. Because the endpoint path and body are user-controlled, this effectively exposes a broad mutation primitive that can reach sensitive or undocumented services beyond the safer high-level CLI commands.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.