garmin-health-analysis
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill requires the user's Garmin email and password to function. It supports several methods for credential storage, including environment variables (
GARMIN_EMAIL,GARMIN_PASSWORD), a localconfig.jsonfile, and the ThinkFleet configuration file (~/.thinkfleet/thinkfleet.json). While the documentation provides security tips like gitignoring the local config, managing plain-text credentials poses a risk of local exposure. - [COMMAND_EXECUTION]: The skill's core functionality relies on the execution of multiple Python scripts (
scripts/garmin_auth.py,scripts/garmin_data.py, andscripts/garmin_chart.py) to authenticate, fetch data, and generate visualizations. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) because it processes untrusted data from an external source (Garmin Connect API) and incorporates it into the agent's context to answer user questions.
- Ingestion points: Data is ingested through
scripts/garmin_data.pywhich queries Garmin's unofficial API for sleep, activities, and other health metrics. - Boundary markers: The provided documentation does not specify the use of delimiters or instructions to ignore embedded commands within the fetched data.
- Capability inventory: The skill can execute subprocesses via Python scripts to perform network operations and file writes (HTML charts).
- Sanitization: There is no mention of sanitizing or validating the JSON data returned from the API before it is interpreted by the LLM.
Audit Metadata