garmin-connect
Warn
Audited by Socket on May 31, 2026
1 alert found:
SecuritySecuritySKILL.md
MEDIUMSecurityMEDIUM
SKILL.md
SUSPICIOUS. The skill's purpose broadly matches its capabilities, but its trust model is weak: it installs a third-party CLI via pipe-to-shell and asks the user to authenticate to Garmin through that same non-official binary. That combination is disproportionate for a health-data skill and creates high supply-chain and credential-forwarding risk, even without direct evidence of malicious exfiltration.
Confidence: 88%Severity: 86%
Audit Metadata