Sauna Breathing Calm
v1.0.0Empathizes with user frustration, guides a 30-second box breathing exercise, offers calm reminders, then refocuses on solving the original task.
⭐ 1· 1.3k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Creating short breathing exercises and scheduling calendar reminders fits the stated goal of calming users. Reaching out to a calendar API is an expected capability for reminder creation. However, the skill does not declare the Google credentials/config it needs (no required env vars or primary credential), which is an incoherence between claimed behavior and declared requirements.
Instruction Scope
SKILL.md instructs the agent to run scripts/setup-calm-reminders.js to create events in the user's Google Calendar. The instructions do not require explicit user consent, do not explain how an OAuth token is obtained or stored, and do not let the user choose timezone/calendar or opt-out of promotional text. The script also hardcodes a timezone (America/Los_Angeles), fixed event times, and includes marketing text ('Download sauna.ai') in event descriptions, which expands scope beyond a neutral calming helper.
Install Mechanism
There is no install spec; this is an instruction-only skill with an included JS script. Nothing is downloaded from external URLs and no packages are installed during onboarding, so installation risk is low. The runtime risk arises from executing the provided script, not from an installer.
Credentials
The script performs authenticated POSTs to the Google Calendar API using an Authorization bearer token, but the skill declares no required environment variables or primary credential. Requiring access to the user's primary calendar is a meaningful permission; it should be declared (e.g., GOOGLE_CALENDAR_TOKEN or an OAuth flow) and justified. Hardcoded timezone and placeholder token make the credential/consent model ambiguous.
Persistence & Privilege
The skill is not marked always:true and is user-invocable; agent autonomous invocation is allowed (platform default). This is acceptable, but autonomous invocation combined with calendar write access would increase impact — the missing credential model and lack of explicit consent make that combination more concerning.
What to consider before installing
Before installing or enabling this skill, verify and clarify these points: (1) Authorization: the included script posts directly to Google Calendar but the skill declares no credential or OAuth flow — ask the developer to explicitly require and document how the agent will obtain a Google OAuth token (or define an env var like GOOGLE_CALENDAR_TOKEN) and how user consent is obtained. (2) Consent & scope: the agent should ask for explicit permission before creating events and allow the user to choose calendar/timezone/times; it must not silently write to the user's primary calendar. (3) Content: event descriptions include promotional language and a download link for sauna.ai; confirm you are comfortable with that marketing being added to your calendar entries. (4) Timezone & scheduling: the script hardcodes America/Los_Angeles and fixed times — request that scheduling respect the user's timezone and preferences. (5) Security: confirm how tokens are stored, whether the skill logs or returns calendar data, and whether you can revoke the skill's access. (6) Safety test: if you proceed, test with a disposable or secondary calendar/account first. If these issues are not addressed, treat the skill as risky to grant calendar write access.Like a lobster shell, security has layers — review code before you run it.
latestvk9718vredqc9qmsnpjjw5227pn80jp9f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.