garmin-connect
Fail
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's setup process utilizes piped shell execution for installation.
- Evidence:
README.md,SKILL.md, andinstall-skill.shcontain instructions to runcurl -fsSL https://raw.githubusercontent.com/eddmann/garmin-connect-cli/main/install.sh | shand similar commands. - Context: While the scripts are hosted on the vendor's own repository (
eddmann/garmin-connect-cli), executing remote content via piped shell commands is a high-privilege operation. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface due to the ingestion of user-controlled data from an external API.
- Ingestion points: Data enters the agent's context from Garmin Connect APIs through multiple commands in the
src/garmin_connect_cli/commands/directory (e.g.,activities.py,health.py,context.py). - Boundary markers: Absent. The ingested data is interpolated into the agent's context without delimiters or instructions to disregard embedded commands.
- Capability inventory: The skill possesses write and delete capabilities, including deleting activities (
activities.py), logging weight, and deleting weight entries (weight.py). - Sanitization: Absent. There is no evidence of sanitization or escaping of external content before it is presented to the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/eddmann/garmin-connect-cli/main/install.sh, https://raw.githubusercontent.com/${REPO}/main/install.sh - DO NOT USE without thorough review
Audit Metadata