← 返回 Skills 市场
ricardotrevisan

Garmin Tracker

作者 Ricardo Trevisan · GitHub ↗ · v1.0.2
cross-platform ⚠ suspicious
743
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install garmin-tracker
功能描述
Rebuild and maintain garmin_tracking.json from Garmin web data (activities + training plan) with a fixed schema from 2026-02-01.
使用说明 (SKILL.md)

Garmin Tracker

Use this skill when the user asks to sync, rebuild, or validate Garmin training data in garmin_tracking.json (workspace root).

Runtime Prerequisite

  • playwright-core must be available in the runtime where the skill executes.
  • If you get MODULE_NOT_FOUND: playwright-core, install it in the active workspace:
npm install playwright-core

Scope

  • This skill is intentionally narrow: goal tracking for Garmin runners/users (training history summary + upcoming training-plan).
  • Out of scope by default: deep telemetry scraping (GPS route internals, split arrays, cadence/power/elevation raw series).
  • Out of scope: nutrition workflow orchestration or external workflow integration.

Hard Rules

  • Control start date is fixed: 2026-02-01.
  • Keep these top-level fields: lastUpdate, planName, currentWeek, summary, history, upcoming, recurring_activities.
  • summary.to must always be today (YYYY-MM-DD).
  • Activities must use this canonical shape:
    • type
    • distanceKm
    • durationSec
    • avgPaceSecPerKm
    • avgHrBpm
    • calories
    • sourceId

Browser Flow (Garmin)

  1. Open Garmin activities list page and collect activities from 2026-02-01 onward.
  2. Open Garmin training plan page (/app/training-plan) and refresh currentWeek + upcoming.
  3. Keep extraction objective: list/table fields only. No GPS/splits/cadence/power deep scrape.
  4. If browser action fails, do one in-tool recovery sequence first (tabs -> focus -> fresh snapshot) before escalation.

Session/Auth Contract

  • The user signs in locally to Garmin in the browser profile used by OpenClaw.
  • If Garmin page indicates signed-out session, ask user to sign in and then rerun.
  • Do not store user credentials in the skill files.

Authentication (Priority Order)

Use this strict order:

  1. Logged browser session (preferred): reuse existing authenticated Garmin session.
  2. Guided manual login in the controlled browser/profile.
  3. Credentials fallback only if browser login is not possible or explicitly rejected by the user.

sync_training_plan.mjs supports:

  • --auth-source auto (default): use existing browser session; if signed out and credentials are available, try credentials login.
  • --auth-source browser: never use credentials; require manual login.
  • --auth-source credentials: require credentials and attempt login directly.

Authentication (User Guidance)

If the user is signed out, guide with explicit steps:

  1. Ask for manual sign-in in the controlled browser profile: https://connect.garmin.com/signin/ -> https://connect.garmin.com/app/training-plan -> rerun sync.
  2. If browser sign-in is not possible, request credentials as fallback and run credentials mode.

Notes:

  • Authentication policy (browser-first vs credentials-first) may be configured by the operator for each environment.
  • In containerized browser setups that expose a remote UI, use the configured noVNC/VNC endpoint to complete login when needed.
  • In host-browser mode, sign in directly in the host browser profile configured in OpenClaw.

Credentials Mode (Fallback)

If browser sign-in is not possible, credentials mode can be used as fallback.

Rules:

  1. Ask only what is strictly required (username/email + password, and 2FA code only if prompted).
  2. Use credentials only for the login action, then discard from working memory/context when possible.
  3. Never write credentials to MEMORY.md, garmin_tracking.json, logs, or skill files.
  4. Never echo credentials back in responses.
  5. After login success, continue with normal session-based flow.

Data Rebuild Flow

  1. Read current garmin_tracking.json.
  2. Preserve planName and recurring_activities.
  3. Rebuild history from Garmin activities (>= control start date).
  4. Recompute summary from rebuilt history.
  5. Set summary.to to today and lastUpdate to current timestamp.

Local Validator/Reconciler Script

Use the bundled script for schema normalization and summary recomputation:

python3 {baseDir}/scripts/reconcile_tracking.py --file garmin_tracking.json --write

Check-only mode:

python3 {baseDir}/scripts/reconcile_tracking.py --file garmin_tracking.json

Training Plan Sync Script

Use the bundled script to refresh currentWeek and upcoming from Garmin Training Plan:

node {baseDir}/scripts/sync_training_plan.mjs --file garmin_tracking.json --write

Credentials fallback example (last resort):

node {baseDir}/scripts/sync_training_plan.mjs \
  --auth-source credentials \
  --garmin-email "[email protected]" \
  --garmin-password "***" \
  --file garmin_tracking.json \
  --write

CDP resolution priority:

  1. --cdp-url (explicit override)
  2. OpenClaw config (browser.defaultProfile -> browser.profiles.\x3Cprofile>.cdpUrl) from --config path
  3. fallback to the script default CDP endpoint for local setups (http://127.0.0.1:\x3Cport>)

Override example:

node {baseDir}/scripts/sync_training_plan.mjs --config data/config/openclaw.json --url "https://connect.garmin.com/app/training-plan" --file garmin_tracking.json --write

Minimal Parser Tests

Run parser fixtures:

node --test {baseDir}/scripts/__tests__/training_plan_parser.test.mjs

Final Checks

  • File is valid JSON.
  • No nutritionLog key exists.
  • history[].activities[] are canonical.
  • summary.to equals today.
安全使用建议
This skill appears to do what it says (browser-driven scraping + a local Python reconciler). Before installing or running it: 1) Prefer browser-session/manual login (the safest mode) rather than passing credentials on the CLI — command-line passwords can be exposed in process lists or shell history. 2) If you must use credentials mode, run the script in a controlled environment (ephemeral container) and avoid storing them in chat or long-lived logs. 3) Be cautious with --debug-dump: it can write raw page text to files that might contain private info; set the path to a safe location or omit the flag. 4) Confirm the CDP endpoint (default 127.0.0.1:39222 or a URL in your OpenClaw config) points to a browser instance you trust — using untrusted remote CDP or VNC endpoints can expose session tokens. 5) Install playwright-core from the official npm registry if needed (npm install playwright-core) and prefer images that include browser binaries from trusted sources. 6) Review the included scripts (sync_training_plan.mjs and reconcile_tracking.py) in your environment and run tests locally before giving it access to your real Garmin account. If you want, I can highlight the exact lines where credentials get consumed and where debug dumps are written.
功能分析
Type: OpenClaw Skill Name: garmin-tracker Version: 1.0.2 The skill is classified as suspicious due to its direct handling of user credentials via command-line arguments in `scripts/sync_training_plan.mjs`, as demonstrated in `SKILL.md`. While `SKILL.md` provides explicit instructions to the AI agent to handle credentials securely (e.g., not storing, logging, or echoing them), the capability to accept sensitive data directly as arguments for browser automation presents a significant risk for misuse through prompt injection against the agent, even without clear malicious intent within the skill's code itself. No evidence of data exfiltration to unauthorized endpoints, persistence, or other malicious activities was found.
能力评估
Purpose & Capability
Name/description (rebuild garmin_tracking.json from Garmin web data) align with required binaries (node, python3) and included scripts (a Node/Playwright scraper and a Python reconciler). Use of browser automation (playwright-core) is expected for this purpose.
Instruction Scope
SKILL.md explicitly limits scope to list/table fields and forbids deep telemetry scraping; runtime steps are narrowly defined (read/write garmin_tracking.json, refresh training plan, rebuild history). It does instruct guided manual login or credentials fallback and suggests using remote VNC/noVNC endpoints for containerized browsers — these guidance items expand operational surface and require careful operator controls.
Install Mechanism
No install spec in registry (instruction-only) and included scripts are plain JS/Python. The only external dependency called out at runtime is playwright-core, which is a normal package for browser automation; no downloads from untrusted URLs or obfuscated installers are present in the package files.
Credentials
The skill requests no environment variables, which is appropriate. However, it supports a 'credentials' fallback via CLI flags (--garmin-email, --garmin-password). Passing passwords on command line can expose them via process listings or shell history. The script also has a --debug-dump option that writes raw extracted page content to a file (could include sensitive page text). These operational behaviors are proportionate to the feature but carry clear secrecy risks that the SKILL.md partially acknowledges but does not fully mitigate.
Persistence & Privilege
always is false and the skill doesn't request system-level persistence. It reads/writes the workspace file garmin_tracking.json and may write debug dumps; it does not modify other skills or global agent config. No elevated privileges are requested.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install garmin-tracker
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /garmin-tracker 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Hardened auth/config handling: removed implicit env fallbacks, moved to explicit CLI flags for credentials/config, added required runtime bins metadata, and aligned docs/messages with behavior.
v1.0.1
Security-scan remediation: removed non-bundled nutrition workflow references, clarified scope to Garmin sync/reconcile only, and made auth guidance browser-first with credentials as fallback.
v1.0.0
Initial release: Garmin training-plan sync, credentials auth mode, canonical tracking schema, nutrition snapshot support.
元数据
Slug garmin-tracker
版本 1.0.2
许可证
累计安装 0
当前安装数 0
历史版本数 3
常见问题

Garmin Tracker 是什么?

Rebuild and maintain garmin_tracking.json from Garmin web data (activities + training plan) with a fixed schema from 2026-02-01. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 743 次。

如何安装 Garmin Tracker?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install garmin-tracker」即可一键安装,无需额外配置。

Garmin Tracker 是免费的吗?

是的,Garmin Tracker 完全免费(开源免费),可自由下载、安装和使用。

Garmin Tracker 支持哪些平台?

Garmin Tracker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Garmin Tracker?

由 Ricardo Trevisan(@ricardotrevisan)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论