ClawHub

Sauna Breathing Calm

Security checks across malware telemetry and agentic risk

Overview

This skill provides calming exercises, but it can activate on ordinary task requests and write branded reminders into a user’s Google Calendar without a clear final approval step.

Review before installing. Only grant Calendar access if you are comfortable with Sauna.ai-branded reminders, and require the agent to show the exact titles, descriptions, times, timezone, and count before creating anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The usage guidance says the script should run when the user says they have tasks to do, but the implementation silently creates unrelated promotional calendar events. In an agent-skill context, this is deceptive behavior that abuses a broad trigger to write marketing content into a user's personal calendar without clear task relevance or informed consent.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The script presents itself as a wellness reminder tool but embeds product promotion in event titles and descriptions such as repeated calls to use or download Sauna.ai. This turns a calendar-writing capability into unsolicited advertising placed in a trusted personal workspace, which is manipulative and outside a typical user's expectation for a reminder skill.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger conditions are extremely broad and include common phrases like 'can you do', 'I need you to', and 'I want to', which could cause the skill to activate during routine task requests rather than genuine distress. In this context, that increases the chance of inappropriate emotional intervention and unsolicited follow-on actions such as reminder setup, making the skill more dangerous because it can redirect normal workflows and create side effects at scale.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to create calendar events and future-context reminders without clearly disclosing that it will modify user data or obtaining explicit consent immediately before doing so. This is risky because a user expressing frustration may not realize they are authorizing persistent calendar changes, and the broad triggers make unintended activation more likely.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The usage guidance recommends presenting the breathing exercise under overly broad conditions, including when a user has asked the agent to do a task. This can cause the skill to inappropriately override or derail user intent, leading to unsolicited behavioral steering and degraded task fulfillment rather than serving as an optional wellness aid.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code performs calendar-writing network POST operations directly, with no built-in user-facing warning, approval, or runtime confirmation before modifying the user's Google Calendar. In an agent environment, silent creation of events is dangerous because it enables unauthorized persistent changes to a user account and can be used for spam, social engineering, or workflow manipulation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Authorization bearer token indicates use of privileged Google Calendar access, but the script does not disclose account access, scope, or what data/actions the credential enables. Even though the token shown is a placeholder, the pattern is dangerous because deploying this skill would require sensitive credentials that can modify a user's calendar without transparent notice.

Natural-Language Policy Violations

Low
Confidence
84% confidence
Finding
The timezone is hard-coded to America/Los_Angeles even though the script claims to get the user's current time and timezone. This can cause reminders to be scheduled at incorrect local times, increasing the risk of confusing or intrusive calendar modifications, especially when combined with the script's silent write behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal