Is garrza/garmer safe?
https://github.com/openclaw/skills/tree/main/skills/garrza/garmer
The garrza/garmer skill is a Garmin Connect health data extraction tool with clean SKILL.md documentation and well-structured Python source code showing no obvious malicious intent. The primary concerns are: (1) six canary credential files were opened and read during the audit session — likely by the Oathe audit framework's own canary verification rather than skill code, but the reads cannot be fully attributed without complete process correlation; (2) the garmer update command is described as 'git pull' for a pip-installed package, which is non-standard and unverifiable as cli.py was not fully visible; and (3) the actual runtime binary is sourced from PyPI rather than the audited GitHub source, introducing supply chain risk. The skill legitimately handles sensitive health PII and stores OAuth tokens persistently, warranting user awareness before installation.
Category Scores
Findings (7)
MEDIUM Canary credential files opened and read during audit session -20 ▶
Six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were opened and accessed in two batches: at 08:37:07 (pre-clone) and 08:37:25 (post-install). Timing and correlated process activity strongly suggests the Oathe audit framework's own canary hash-capture and post-install verification, not skill code. However, the reads are confirmed in both inotifywait and auditd PATH records and cannot be dismissed without full process attribution.
MEDIUM garmer update command uses git pull — implementation unverified -18 ▶
SKILL.md documents a garmer update command described as 'Update garmer to latest version (git pull)'. For a pip-installed package this is unusual; standard practice is pip install --upgrade. If cli.py implements a literal git pull on the installed files, it bypasses pip's signature verification and checksum integrity, enabling silent code replacement. The full content of cli.py was not present in the audit evidence, so the actual implementation cannot be confirmed.
MEDIUM Runtime binary sourced from PyPI, not from audited GitHub code -15 ▶
The garmer CLI tool is installed via 'pip install garmer' or 'uv install garmer' from PyPI, not directly from the GitHub source audited here. The PyPI package could differ from the visible source code. Supply chain attacks against PyPI are documented; the audited source cannot guarantee what executes on the user's machine.
LOW Garmin OAuth tokens stored persistently in home directory -12 ▶
garmer stores Garmin OAuth tokens in ~/.garmer/garmin_tokens after login. These tokens grant ongoing access to the user's complete Garmin Connect health history. Any process running as the same user, or any other installed skill with file-read capability, could exfiltrate these tokens for persistent unauthorized Garmin account access.
LOW Extensive sensitive health PII collected and aggregatable -15 ▶
The skill accesses body weight, body fat percentage, muscle mass, BMI, sleep duration and phases, HRV, heart rate samples, GPS activity data, stress levels, body battery, and hydration data. The garmer export command can aggregate 30+ days of this data into a single JSON file. While collection is by user consent for personal health tracking, this PII profile is high-value for surveillance, insurance, or profiling if exfiltrated.
INFO Clean clone with expected network connections only 0 ▶
Installation cloned from github.com (140.82.121.3) via HTTPS using git sparse-checkout. No unexpected outbound connections were initiated. The connection diff confirms no new listeners or established connections persisted after installation.
INFO SKILL.md is clean documentation with no injection patterns 0 ▶
The SKILL.md file contains only legitimate documentation for Garmin health data extraction. No instruction-override attempts, persona switching, hidden unicode characters, HTML comment tricks, requests to ignore previous instructions, or references to external URLs for autonomous fetching were found.