Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
garmin connect cn
v1.0.0查询 Garmin Connect CN(佳明中国)的个人健康与运动数据。只要用户提到 Garmin/佳明、询问跑步配速/睡眠质量/HRV/Body Battery/VO2 Max/训练状态等 任何健康指标,或想导出 FIT/GPX/TCX 文件、分析某次活动的分段数据,都应 优先激活此技能——即使用户没有明说"...
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Garmin Connect CN data access, exports, FIT parsing) matches the provided scripts and SKILL.md. The included garmin_cli.py uses the garminconnect library to talk to connect.garmin.cn and fit_file_parser.py parses .fit files as advertised.
Instruction Scope
SKILL.md instructs the agent to locate SKILL_DIR (including running a 'find ~' search), pick a RUNNER, and possibly ask the caller to run commands if no shell permission. Asking the operator to execute commands and to surface command output is expected for a CLI-driven skill, but it does mean the agent may request outputs that contain sensitive metadata (file paths, environment info). The locate/search step reads the user's home tree (up to depth 8), which is reasonable for finding the bundled script but could reveal directory structure.
Install Mechanism
There is no install spec; the skill is instruction + bundled Python scripts. SKILL.md suggests installing Python packages (garminconnect, fitparse) via pip if needed — a standard, low-risk approach. No external arbitrary archives or shorteners are downloaded.
Credentials
The skill declares no environment variables and does not request unrelated cloud credentials. It does require the user's Garmin account credentials for login, which is appropriate for the purpose. Implementation stores the email/password plaintext in ~/.config/garmin-cn/credentials.json (file perms set to 0o600). Storing raw passwords locally is functionally coherent but increases risk if the host is compromised — users should prefer token-based auth if available.
Persistence & Privilege
The skill persists credentials to the user's config directory (~/.config/garmin-cn) and modifies/clears a cache directory (~/.garth) to avoid stale SSO tokens. It does not request global 'always' inclusion. Storing credentials in its own config dir and clearing its own cache is normal, but clearing ~/.garth could affect other tools that share that cache directory.
Assessment
This skill appears to do what it says: it uses the garminconnect library to query connect.garmin.cn and includes a FIT parser for .fit files. Before installing or running it, consider: 1) it asks for your Garmin email and password and saves them as plain JSON in ~/.config/garmin-cn/credentials.json (file mode 600) — if you prefer not to store your password locally, avoid using login or remove the file after use; 2) the skill's runtime instructions may ask you (or an operator) to run shell commands and paste outputs — don't paste secrets or unrelated files; 3) the SKILL.md uses find ~ to locate the scripts which will reveal parts of your home directory structure if executed by the agent; 4) it clears ~/.garth cache which could affect other tools using that cache. If you are comfortable with these behaviors and trust the environment, the skill is coherent with its purpose. If you require stronger protections, prefer token-based auth or run the tool manually in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97fnnn8jgvtcbyk288yt9q1158410x9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.