Is eversonl/garmin-health-analysis safe?
https://github.com/openclaw/skills/tree/main/skills/eversonl/garmin-health-analysis
The garmin-health-analysis skill is a legitimate, well-structured Garmin Connect data interface with no prompt injection, no malicious code, and no confirmed credential exfiltration during the audit. Its primary risks are inherent to its purpose: it handles highly sensitive biometric and GPS location data that flows into the LLM context window, stores Garmin credentials in plaintext, relies on an unofficial reverse-engineered API, and generates HTML charts loading external CDN JavaScript. The suspicious canary file reads observed during monitoring are attributable to the Oathe monitoring infrastructure rather than skill behavior, as confirmed by the intact canary integrity check and absence of outbound network connections carrying credential payloads.
Category Scores
Findings (7)
MEDIUM Extensive Sensitive Biometric Data Exposed to Agent Context -15 ▶
The skill is designed to fetch and expose highly sensitive health data including precise GPS location history (FIT/GPX routes), sleep stage timing, heart rate at specific timestamps, body composition metrics, and SPO2. This data flows into the LLM's context window and persists in conversation logs. The skill documentation references future support for menstrual cycle and pregnancy tracking, indicating planned expansion of sensitive health data scope.
LOW External CDN Dependency in Generated HTML Charts -12 ▶
The garmin_chart.py script generates HTML files containing a script tag that loads Chart.js from the jsdelivr CDN at a pinned version. When these HTML files are opened in a browser (the script calls webbrowser.open() automatically), the CDN JavaScript executes. A compromised CDN or MITM attack could inject malicious JavaScript that executes in the context of a page containing the user's health data.
LOW Garmin Credentials and Session Tokens Stored in Plaintext -8 ▶
The skill stores GARMIN_EMAIL and GARMIN_PASSWORD in multiple plaintext locations: ~/.clawdbot/clawdbot.json, a local config.json, and as environment variables. OAuth session tokens are stored at ~/.clawdbot/garmin-tokens.json. Any skill or process with filesystem read access can harvest these credentials.
LOW Unofficial Reverse-Engineered API — Terms of Service Risk -10 ▶
The skill relies on the garminconnect Python library which reverse-engineers Garmin's private web API. Garmin can change this API without notice (breaking the skill), rate-limit aggressively, or block accounts for ToS violations. The skill's own documentation acknowledges this is a 'gray area' and warns against commercial use.
INFO install.sh Present but Not Executed During Audit -5 ▶
The repository includes an install.sh shell script. The observed installation process used only git sparse-checkout and cp to install files; install.sh was not executed. The script's full contents were not provided for analysis. Users invoking install.sh manually would execute unreviewed shell code.
INFO Canary Credential Files Read During Monitoring Period -10 ▶
Filesystem monitoring recorded read access to all honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) twice during the monitoring window. The first batch occurs at monitoring epoch start (1771940530.358) concurrent with PAM/modprobe system reads, strongly implicating the Oathe monitoring infrastructure. The second batch (1771940548.943) occurs 5 seconds post-install. All files confirmed intact by canary integrity check; no outbound network transfer of credential-sized payloads was observed.
LOW GPS Activity Files Downloaded to Local Filesystem -5 ▶
The garmin_activity_files.py script downloads FIT and GPX files containing precise GPS location data to /tmp. These files contain full route traces with timestamps, elevation, heart rate at each point, and cadence. If another skill or process can read /tmp, this location history could be exfiltrated. The batch processing example in documentation also suggests automation of mass downloads.