Trust Assessment
garmin-connect received a trust score of 23/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 0 critical, 3 high, 5 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Sensitive path access: AI agent config, Unpinned Python dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/rayleigh3105/garmin-connect/SKILL.md:45 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/rayleigh3105/garmin-connect/SKILL.md:102 | |
| HIGH | Insecure Credential Handling via Command Line Arguments The `garmin-auth.py` script accepts the user's Garmin email and password directly as command-line arguments. This practice is insecure as credentials passed this way can be exposed in shell history, process lists (e.g., `ps aux`), and system logs, making them vulnerable to local attackers or other processes on the system. While this is for a one-time setup, it still presents a significant risk for credential exposure. Avoid passing sensitive information like passwords directly as command-line arguments. Instead, use secure input methods (e.g., `getpass` for interactive prompts), environment variables, or a more robust OAuth flow that doesn't require direct password input (as `garmin-auth-oauth.py` attempts to do). If environment variables are used, ensure they are cleared after use. | LLM | scripts/garmin-auth.py:40 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/rayleigh3105/garmin-connect/scripts/garmin-formatter.py:4 | |
| MEDIUM | Unpinned Python dependency version Requirement 'garminconnect>=0.3.2' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/rayleigh3105/garmin-connect/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.28.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/rayleigh3105/garmin-connect/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dateutil>=2.8.2' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/rayleigh3105/garmin-connect/requirements.txt:3 | |
| MEDIUM | Missing Core Dependency in requirements.txt The `garth` library is a critical dependency for authentication and data syncing, as evidenced by its import and usage in `garmin-auth.py`, `garmin-sync.py`, `garmin-auth-oauth.py`, and `garmin-sync-oauth.py`. However, `garth` is not listed in `requirements.txt`. This omission can lead to installation failures, unexpected behavior, or users installing an incorrect or potentially malicious package if they attempt to resolve the dependency manually without proper guidance. Add `garth` to `requirements.txt` with a specific, pinned version (e.g., `garth==X.Y.Z`) to ensure consistent and secure installations. Also, update the installation instructions in `SKILL.md` to reflect the complete dependency list. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/452835f210538a56)
Powered by SkillShield