Is garmin-health-analysis safe?

The skill instructs users to store Garmin email and password in plaintext across up to 4 locations: ~/.clawdbot/clawdbot.json, config.json in the skill directory, environment variables, and command-line arguments (visible in process lists). Any other skill or agent with filesystem read access can harvest these credentials. The credentials grant full access to the user's Garmin Connect account including location history, health data, and personal information.

The skill instructs the LLM agent to execute garmin_data.py, garmin_query.py, garmin_chart.py, garmin_auth.py, and garmin_activity_files.py via python3 shell commands. These scripts use sys.path manipulation to import each other and execute with full user privileges. While current code appears benign, any modification to these scripts (via skill update) would be executed automatically by the agent without user review.

The skill requires pip3 install of garminconnect, fitparse, and gpxpy. Python package installation can execute arbitrary code via setup.py. While these are legitimate, established packages, a supply chain compromise of any of them would result in code execution during installation. The garminconnect package is particularly sensitive as it is an unofficial, community-maintained library.

Session tokens stored at ~/.clawdbot/garmin-tokens.json persist OAuth tokens that grant API access to the user's Garmin account without needing the password. Other skills or processes on the same system could read this file to access Garmin data without the user's knowledge.

The skill contains an install.sh file whose contents were not captured in the evidence collection. This shell script could contain arbitrary commands that execute during skill installation. Without visibility into its contents, it represents an unknown risk.

The references/health_analysis.md file contains detailed health interpretation frameworks with specific thresholds and recommendations. While it includes a medical disclaimer, the structured prompt template could cause the agent to provide authoritative-sounding health assessments that users might over-rely on. This is a design concern rather than a security issue.

The activity files script can download FIT/GPX/TCX files to the local filesystem. While intended for activity analysis, the download-and-parse pattern could be leveraged if the Garmin API response were manipulated to deliver malicious content. The fitparse library processes binary FIT files which could theoretically contain crafted payloads targeting parser vulnerabilities.

The garmin_data.py profile command returns the user's display name and email address. While this is the user's own data, it could be inadvertently logged or exposed in agent conversation history.

All filesystem events during installation are attributable to standard system library loading (ld.so.cache), process initialization (nsswitch.conf, passwd, group), and the monitoring framework itself. No anomalous file access patterns detected.