Is garmin-tracker safe?

https://clawhub.ai/ricardotrevisan/garmin-tracker

72
CAUTION

The garmin-tracker skill is a legitimate Garmin fitness data synchronization tool, but its use of browser automation (CDP/Playwright), runtime npm installation, and credential handling as a fallback creates a significantly elevated attack surface. The bundled Python script is benign and well-scoped, but the browser automation components grant access far beyond the stated scope of managing a single JSON tracking file. No active malicious behavior was detected during the audit.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH Runtime npm install of playwright-core -25

SKILL.md instructs the agent to run 'npm install playwright-core' if the module is not found. This downloads and executes arbitrary code from the npm registry at runtime, bypassing any pre-audit of dependencies. A supply chain attack on the playwright-core package would be silently executed.

HIGH Credential handling via CLI arguments and agent context -20

The skill's credentials fallback mode instructs the agent to collect username/password from the user and pass them as CLI arguments (--garmin-email, --garmin-password). CLI arguments are visible in process listings (ps aux) and may persist in shell history. The agent's context window also retains credentials even if the skill says to 'discard from working memory'.

HIGH Full browser session access via CDP -25

The skill uses Chrome DevTools Protocol (CDP) to automate browser interactions. CDP provides full access to the browser profile including cookies, local storage, and authenticated sessions for ALL sites — not just Garmin. A malicious modification to the bundled scripts could silently exfiltrate session tokens from banking sites, email, or other sensitive services.

MEDIUM Broad agent capability requests beyond stated scope -15

While the skill claims to be 'intentionally narrow' for Garmin tracking, it requests browser automation capabilities, npm package installation, and credential handling — a significantly broader capability surface than simple JSON file management.

MEDIUM Executable scripts with arbitrary file path arguments -20

Both reconcile_tracking.py and sync_training_plan.mjs accept --file and --config arguments that can point to arbitrary filesystem paths. The Python script reads and writes JSON files at the specified path without path validation or sandboxing.

MEDIUM Browser profile access exposes cross-site sessions -15

The skill operates within a browser profile that likely contains authenticated sessions to multiple services. The CDP connection grants read access to cookies and storage for all domains in that profile, not just Garmin.

LOW External URL navigation instructions -10

SKILL.md instructs the agent to navigate to specific Garmin URLs. While these are legitimate Garmin endpoints, the pattern of instructing an agent to visit external URLs could be modified to direct to malicious sites.

INFO Expected network activity during clone -10

Single external connection to 216.150.1.1:443 (ClawHub registry) during installation. All other network activity was local (loopback, mDNS, DNS resolution). No unexpected outbound connections.

INFO Python script is a straightforward JSON normalizer 0

reconcile_tracking.py contains only JSON parsing, normalization, and recomputation logic. No network calls, no imports of networking libraries, no subprocess execution. The code itself is benign.

INFO No canary file tampering detected 0

All honeypot files (.env, SSH keys, AWS credentials, .npmrc, Docker config, GCloud credentials) maintained their original hashes throughout the audit.