garmin-connect
Fail
Audited by Gen Agent Trust Hub on May 31, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's installation process fetches shell scripts from the author's GitHub repository (github.com/eddmann/garmin-connect-cli).
- [REMOTE_CODE_EXECUTION]: The skill instructions promote executing the downloaded scripts by piping curl output directly to sh, which enables the installation of the garmin-connect binary tool.
- [COMMAND_EXECUTION]: The agent utilizes the garmin-connect CLI tool to perform various operations, including listing fitness activities, downloading data files, and managing health metrics.
- [DATA_EXFILTRATION]: The skill retrieves sensitive health and fitness information from Garmin Connect, such as activity history, heart rate, and sleep metrics. This data is ingested into the agent's context. Authentication tokens are managed locally with restricted file permissions (0o600).
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the Garmin Connect API (e.g., activity titles and descriptions) and aggregates it for the agent's use without boundary markers or sanitization.
- Ingestion points: Activity names and descriptions fetched from the Garmin Connect API (specifically in src/garmin_connect_cli/commands/context.py).
- Boundary markers: None identified in the command outputs or prompt construction.
- Capability inventory: The CLI tool allows the agent to delete activity records, upload fitness files, and log weight metrics.
- Sanitization: External data fields are interpolated into agent outputs without sanitization or escaping.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/eddmann/garmin-connect-cli/main/install.sh, https://raw.githubusercontent.com/${REPO}/main/install.sh - DO NOT USE without thorough review
Audit Metadata