📦 Garmin Connect - 健康数据同步
v1.0.1Clawdbot 的 Garmin Connect 集成:通过 OAuth 每 5 分钟同步一次健身数据(步数、心率、卡路里、锻炼、睡眠)。
0· 11·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill appears to do what it says (sync Garmin data) but contains several incoherent or risky elements (hard-coded paths/emails, missing dependency entries, prompts to disable 2FA and accept plaintext passwords) that warrant caution before installing.
评估建议
This skill mostly does what it claims (sync Garmin data) but I recommend caution before installing:
- Do not follow advice to disable 2FA. Never turn off two-factor authentication; instead use an app-specific password or the browser-based OAuth flow.
- The repo contains hard-coded personal paths and an email (e.g., /home/mamotec, moritz.vogt@vogges.de). Inspect and edit scripts to point to your own home directory and remove or replace any hard-coded identities before running.
- The auth script ...详细分析 ▾
⚠ 用途与能力
Name/description match the code: scripts use garth/garminconnect to fetch Garmin data and cache it locally. However the repository is inconsistent: several scripts reference the 'garth' client but requirements.txt does not list 'garth'/'garth-cli'; multiple files contain hard-coded /home/mamotec paths and a specific email (moritz.vogt@vogges.de) that are unrelated to a generic Garmin integration and suggest the bundle was copied from a personal project without cleanup.
⚠ 指令范围
Runtime instructions and scripts perform local file reads/writes (~/.garth/session.json, ~/.clawdbot/.garmin-cache.json, /tmp/garmin-cache.json) and run the auth/sync scripts. The auth flow instructs running a script with email/password (plaintext CLI args) and the README/SKILL.md explicitly advise disabling 2FA or using app passwords — advice that is inappropriate and increases risk. Some scripts contain personal paths and comments (e.g., cron mentioning Telegram alerts) that are unexpected and out-of-scope for a clean integration.
ℹ 安装机制
This is an instruction-only skill (no install spec). It asks users to pip install -r requirements.txt; requirements.txt includes garminconnect but omits the 'garth' dependency that most scripts import. That mismatch is an operational issue that could cause confusion and indicates sloppy packaging, but it is not itself a remote code download risk.
⚠ 凭证需求
The skill declares no required env vars or credentials, and it stores an OAuth session locally (~/ .garth/session.json). That is proportionate in principle — but the auth script asks for email/password on the command line and suggests disabling 2FA, which is disproportionate and unsafe. The scripts also contain hard-coded user-specific paths and an email address which are not justified by the generic purpose.
ℹ 持久化与权限
always is false and the skill is user-invocable. The package suggests a user-installed cron entry to run every 5 minutes (manual setup). That persistent scheduling is expected for a sync integration, but the SKILL includes hard-coded crontab paths which must be edited by the user — another sign of poor hygiene rather than an explicit privilege escalation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/20
Fork and update to 1.0.1
● Pending
安装命令
点击复制官方npx clawhub@latest install lovefromio-garmin-connect
镜像加速npx clawhub@latest install lovefromio-garmin-connect --registry https://cn.longxiaskill.com