📦 Garmin Health Analysis - 健康数据分析
v1.2.3健康分析 像聊天一样问你的 Garmin 数据——“我滑雪最快时速多少?”、“昨晚睡得怎么样?”、“下午3点心率多少?”支持20+项数据……
0· 12·0 当前·0 累计
by 下载技能包
最后更新
2026/4/20
安全扫描
OpenClaw
可疑
medium confidenceThe skill appears to do what it says (fetch Garmin data) and only requires your Garmin credentials, but there are several coherence/privacy concerns—most notably a repository config.json containing credentials, use of an unofficial API, and locally stored session tokens that may be reusable by other components.
评估建议
Key things to consider before installing:
- Remove or rotate credentials: the repo contains a committed config.json with an email/password — treat that as a leaked credential and rotate the password immediately if it is real. Never keep real credentials in repo files. Prefer environment variables or the platform's secure secrets UI.
- Prefer ephemeral or minimal-privilege accounts: if possible create a dedicated Garmin account (or change your password) used only for this integration, so exposu...详细分析 ▾
✓ 用途与能力
Name/description align with required pieces: the code and instructions only request Garmin account credentials and Python libraries (garminconnect, fitparse, gpxpy) which are expected for fetching and parsing Garmin data.
ℹ 指令范围
Runtime instructions confine behavior to authenticating to Garmin, fetching/parsing activity and health data, generating charts, and saving tokens to ~/.clawdbot/garmin-tokens.json (or similar). They do not instruct reading unrelated system files. However the skill prioritizes multiple credential sources (CLI args, local config.json, env vars, Clawdbot config) which increases the ways credentials may be present on disk or in memory; the repo as distributed includes a config.json with an email/password which is an unexpected sensitive artifact.
✓ 安装机制
No remote binary downloads; dependency installation is via pip for known packages (garminconnect, fitparse, gpxpy). There is an install.sh wrapper that runs pip; nothing in the install spec downloads code from odd URLs or extracts archives.
⚠ 凭证需求
The only declared required env vars (GARMIN_EMAIL, GARMIN_PASSWORD) are appropriate. Concerns: (1) the repository contains a config.json with plaintext credentials committed in the manifest — this is disproportionate and dangerous, (2) session tokens are written to user home paths and the README notes tokens may be shared between Clawdbot and a separate MCP server, increasing the blast radius if other software or skills read those files, and (3) the skill uses the unofficial/reverse-engineered garminconnect library (documented), which may break or behave unexpectedly and may violate Garmin ToS.
ℹ 持久化与权限
Skill does not request always:true or elevated system privileges. It persists session tokens locally and recommends installing packages; those tokens are long-lived and reusable, and documentation states they may be shared across MCP server/Clawdbot installations — a legitimate feature but one that increases risk if the filesystem or other local components are compromised or misconfigured.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.2.32026/4/20
Fork and update to 1.2.3
● 可疑
安装命令
点击复制官方npx clawhub@latest install lovefromio-garmin-health-analysis
镜像加速npx clawhub@latest install lovefromio-garmin-health-analysis --registry https://cn.longxiaskill.com镜像同步中