📦 Garmin Tracker — 同步Garmin数据
v1.0.2自动拉取并重建 garmin_tracking.json,合并活动与训练计划数据,保持2026-02-01后固定Schema,实现运动记录本地持久化。
0· 697·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears to do what it says (browser-driven scraping + a local Python reconciler). Before installing or running it: 1) Prefer browser-session/manual login (the safest mode) rather than passing credentials on the CLI — command-line passwords can be exposed in process lists or shell history. 2) If you must use credentials mode, run the script in a controlled environment (ephemeral container) and avoid storing them in chat or long-lived logs. 3) Be cautious with --debug-dump: it can write...详细分析 ▾
✓ 用途与能力
Name/description (rebuild garmin_tracking.json from Garmin web data) align with required binaries (node, python3) and included scripts (a Node/Playwright scraper and a Python reconciler). Use of browser automation (playwright-core) is expected for this purpose.
ℹ 指令范围
SKILL.md explicitly limits scope to list/table fields and forbids deep telemetry scraping; runtime steps are narrowly defined (read/write garmin_tracking.json, refresh training plan, rebuild history). It does instruct guided manual login or credentials fallback and suggests using remote VNC/noVNC endpoints for containerized browsers — these guidance items expand operational surface and require careful operator controls.
✓ 安装机制
No install spec in registry (instruction-only) and included scripts are plain JS/Python. The only external dependency called out at runtime is playwright-core, which is a normal package for browser automation; no downloads from untrusted URLs or obfuscated installers are present in the package files.
⚠ 凭证需求
The skill requests no environment variables, which is appropriate. However, it supports a 'credentials' fallback via CLI flags (--garmin-email, --garmin-password). Passing passwords on command line can expose them via process listings or shell history. The script also has a --debug-dump option that writes raw extracted page content to a file (could include sensitive page text). These operational behaviors are proportionate to the feature but carry clear secrecy risks that the SKILL.md partially acknowledges but does not fully mitigate.
✓ 持久化与权限
always is false and the skill doesn't request system-level persistence. It reads/writes the workspace file garmin_tracking.json and may write debug dumps; it does not modify other skills or global agent config. No elevated privileges are requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/2/17
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install garmin-tracker
镜像加速npx clawhub@latest install garmin-tracker --registry https://cn.longxiaskill.com