← Back to Skills Marketplace
ricardotrevisan

Garmin Tracker

by Ricardo Trevisan · GitHub ↗ · v1.0.2
cross-platform ⚠ suspicious
743
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install garmin-tracker
Description
Rebuild and maintain garmin_tracking.json from Garmin web data (activities + training plan) with a fixed schema from 2026-02-01.
README (SKILL.md)

Garmin Tracker

Use this skill when the user asks to sync, rebuild, or validate Garmin training data in garmin_tracking.json (workspace root).

Runtime Prerequisite

  • playwright-core must be available in the runtime where the skill executes.
  • If you get MODULE_NOT_FOUND: playwright-core, install it in the active workspace:
npm install playwright-core

Scope

  • This skill is intentionally narrow: goal tracking for Garmin runners/users (training history summary + upcoming training-plan).
  • Out of scope by default: deep telemetry scraping (GPS route internals, split arrays, cadence/power/elevation raw series).
  • Out of scope: nutrition workflow orchestration or external workflow integration.

Hard Rules

  • Control start date is fixed: 2026-02-01.
  • Keep these top-level fields: lastUpdate, planName, currentWeek, summary, history, upcoming, recurring_activities.
  • summary.to must always be today (YYYY-MM-DD).
  • Activities must use this canonical shape:
    • type
    • distanceKm
    • durationSec
    • avgPaceSecPerKm
    • avgHrBpm
    • calories
    • sourceId

Browser Flow (Garmin)

  1. Open Garmin activities list page and collect activities from 2026-02-01 onward.
  2. Open Garmin training plan page (/app/training-plan) and refresh currentWeek + upcoming.
  3. Keep extraction objective: list/table fields only. No GPS/splits/cadence/power deep scrape.
  4. If browser action fails, do one in-tool recovery sequence first (tabs -> focus -> fresh snapshot) before escalation.

Session/Auth Contract

  • The user signs in locally to Garmin in the browser profile used by OpenClaw.
  • If Garmin page indicates signed-out session, ask user to sign in and then rerun.
  • Do not store user credentials in the skill files.

Authentication (Priority Order)

Use this strict order:

  1. Logged browser session (preferred): reuse existing authenticated Garmin session.
  2. Guided manual login in the controlled browser/profile.
  3. Credentials fallback only if browser login is not possible or explicitly rejected by the user.

sync_training_plan.mjs supports:

  • --auth-source auto (default): use existing browser session; if signed out and credentials are available, try credentials login.
  • --auth-source browser: never use credentials; require manual login.
  • --auth-source credentials: require credentials and attempt login directly.

Authentication (User Guidance)

If the user is signed out, guide with explicit steps:

  1. Ask for manual sign-in in the controlled browser profile: https://connect.garmin.com/signin/ -> https://connect.garmin.com/app/training-plan -> rerun sync.
  2. If browser sign-in is not possible, request credentials as fallback and run credentials mode.

Notes:

  • Authentication policy (browser-first vs credentials-first) may be configured by the operator for each environment.
  • In containerized browser setups that expose a remote UI, use the configured noVNC/VNC endpoint to complete login when needed.
  • In host-browser mode, sign in directly in the host browser profile configured in OpenClaw.

Credentials Mode (Fallback)

If browser sign-in is not possible, credentials mode can be used as fallback.

Rules:

  1. Ask only what is strictly required (username/email + password, and 2FA code only if prompted).
  2. Use credentials only for the login action, then discard from working memory/context when possible.
  3. Never write credentials to MEMORY.md, garmin_tracking.json, logs, or skill files.
  4. Never echo credentials back in responses.
  5. After login success, continue with normal session-based flow.

Data Rebuild Flow

  1. Read current garmin_tracking.json.
  2. Preserve planName and recurring_activities.
  3. Rebuild history from Garmin activities (>= control start date).
  4. Recompute summary from rebuilt history.
  5. Set summary.to to today and lastUpdate to current timestamp.

Local Validator/Reconciler Script

Use the bundled script for schema normalization and summary recomputation:

python3 {baseDir}/scripts/reconcile_tracking.py --file garmin_tracking.json --write

Check-only mode:

python3 {baseDir}/scripts/reconcile_tracking.py --file garmin_tracking.json

Training Plan Sync Script

Use the bundled script to refresh currentWeek and upcoming from Garmin Training Plan:

node {baseDir}/scripts/sync_training_plan.mjs --file garmin_tracking.json --write

Credentials fallback example (last resort):

node {baseDir}/scripts/sync_training_plan.mjs \
  --auth-source credentials \
  --garmin-email "[email protected]" \
  --garmin-password "***" \
  --file garmin_tracking.json \
  --write

CDP resolution priority:

  1. --cdp-url (explicit override)
  2. OpenClaw config (browser.defaultProfile -> browser.profiles.\x3Cprofile>.cdpUrl) from --config path
  3. fallback to the script default CDP endpoint for local setups (http://127.0.0.1:\x3Cport>)

Override example:

node {baseDir}/scripts/sync_training_plan.mjs --config data/config/openclaw.json --url "https://connect.garmin.com/app/training-plan" --file garmin_tracking.json --write

Minimal Parser Tests

Run parser fixtures:

node --test {baseDir}/scripts/__tests__/training_plan_parser.test.mjs

Final Checks

  • File is valid JSON.
  • No nutritionLog key exists.
  • history[].activities[] are canonical.
  • summary.to equals today.
Usage Guidance
This skill appears to do what it says (browser-driven scraping + a local Python reconciler). Before installing or running it: 1) Prefer browser-session/manual login (the safest mode) rather than passing credentials on the CLI — command-line passwords can be exposed in process lists or shell history. 2) If you must use credentials mode, run the script in a controlled environment (ephemeral container) and avoid storing them in chat or long-lived logs. 3) Be cautious with --debug-dump: it can write raw page text to files that might contain private info; set the path to a safe location or omit the flag. 4) Confirm the CDP endpoint (default 127.0.0.1:39222 or a URL in your OpenClaw config) points to a browser instance you trust — using untrusted remote CDP or VNC endpoints can expose session tokens. 5) Install playwright-core from the official npm registry if needed (npm install playwright-core) and prefer images that include browser binaries from trusted sources. 6) Review the included scripts (sync_training_plan.mjs and reconcile_tracking.py) in your environment and run tests locally before giving it access to your real Garmin account. If you want, I can highlight the exact lines where credentials get consumed and where debug dumps are written.
Capability Analysis
Type: OpenClaw Skill Name: garmin-tracker Version: 1.0.2 The skill is classified as suspicious due to its direct handling of user credentials via command-line arguments in `scripts/sync_training_plan.mjs`, as demonstrated in `SKILL.md`. While `SKILL.md` provides explicit instructions to the AI agent to handle credentials securely (e.g., not storing, logging, or echoing them), the capability to accept sensitive data directly as arguments for browser automation presents a significant risk for misuse through prompt injection against the agent, even without clear malicious intent within the skill's code itself. No evidence of data exfiltration to unauthorized endpoints, persistence, or other malicious activities was found.
Capability Assessment
Purpose & Capability
Name/description (rebuild garmin_tracking.json from Garmin web data) align with required binaries (node, python3) and included scripts (a Node/Playwright scraper and a Python reconciler). Use of browser automation (playwright-core) is expected for this purpose.
Instruction Scope
SKILL.md explicitly limits scope to list/table fields and forbids deep telemetry scraping; runtime steps are narrowly defined (read/write garmin_tracking.json, refresh training plan, rebuild history). It does instruct guided manual login or credentials fallback and suggests using remote VNC/noVNC endpoints for containerized browsers — these guidance items expand operational surface and require careful operator controls.
Install Mechanism
No install spec in registry (instruction-only) and included scripts are plain JS/Python. The only external dependency called out at runtime is playwright-core, which is a normal package for browser automation; no downloads from untrusted URLs or obfuscated installers are present in the package files.
Credentials
The skill requests no environment variables, which is appropriate. However, it supports a 'credentials' fallback via CLI flags (--garmin-email, --garmin-password). Passing passwords on command line can expose them via process listings or shell history. The script also has a --debug-dump option that writes raw extracted page content to a file (could include sensitive page text). These operational behaviors are proportionate to the feature but carry clear secrecy risks that the SKILL.md partially acknowledges but does not fully mitigate.
Persistence & Privilege
always is false and the skill doesn't request system-level persistence. It reads/writes the workspace file garmin_tracking.json and may write debug dumps; it does not modify other skills or global agent config. No elevated privileges are requested.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install garmin-tracker
  3. After installation, invoke the skill by name or use /garmin-tracker
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Hardened auth/config handling: removed implicit env fallbacks, moved to explicit CLI flags for credentials/config, added required runtime bins metadata, and aligned docs/messages with behavior.
v1.0.1
Security-scan remediation: removed non-bundled nutrition workflow references, clarified scope to Garmin sync/reconcile only, and made auth guidance browser-first with credentials as fallback.
v1.0.0
Initial release: Garmin training-plan sync, credentials auth mode, canonical tracking schema, nutrition snapshot support.
Metadata
Slug garmin-tracker
Version 1.0.2
License
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Garmin Tracker?

Rebuild and maintain garmin_tracking.json from Garmin web data (activities + training plan) with a fixed schema from 2026-02-01. It is an AI Agent Skill for Claude Code / OpenClaw, with 743 downloads so far.

How do I install Garmin Tracker?

Run "/install garmin-tracker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Garmin Tracker free?

Yes, Garmin Tracker is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Garmin Tracker support?

Garmin Tracker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Garmin Tracker?

It is built and maintained by Ricardo Trevisan (@ricardotrevisan); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments