ClawHub

Sauna Calm

v1.1.0

Calm frustrated users with breathing exercises and Sauna.ai reminders

1· 1.6k·0 current·0 all-time
by@grx21
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (calming users with short exercises and reminders) is plausible, but the included script attempts to call the Google Calendar API. The skill declares no required credentials, env vars, or install steps, so there is a mismatch between the claimed zero-requirement footprint and the script's need to POST events to a user's calendar.
!
Instruction Scope
SKILL.md tells the agent to set up calendar events using scripts/setup-calm-reminders.js but does not instruct how to obtain user consent or acquire a Google OAuth token. The example text and event descriptions also include promotional calls-to-action (download sauna.ai), which expands the scope beyond a neutral calming helper and could push users to an external site.
Install Mechanism
There is no install spec and no remote downloads; the skill is instruction-only with a small local script. That lowers installation risk since nothing is fetched or extracted at install time.
!
Credentials
The code calls the Google Calendar API and sets an Authorization header with a placeholder token, implying it needs an OAuth bearer token or similar credential. Yet requires.env and primary credential fields are empty — the credential access required to perform the core feature is not declared or justified.
Persistence & Privilege
The skill will modify a user's calendar (create events), which is a sensitive action but consistent with the stated reminder feature. It does not request always:true and does not attempt to persist or modify other skills. However, there is no guidance about acquiring, storing, or revoking calendar permissions or tokens, which is a privacy/privilege gap to resolve.
What to consider before installing
This skill contains a script that will POST events to Google Calendar but the package does not declare any required credentials or explain how tokens/consent will be obtained. Before installing or running it: (1) Confirm how the agent will get a Google OAuth token (do not paste your personal token into an installer or chat window); (2) Require explicit user consent before creating calendar events and verify where any credential is stored and who can access it; (3) Review and remove promotional content if you don't want automatic marketing (the script and markdown encourage downloading sauna.ai); (4) Consider time zone handling — it hardcodes America/Los_Angeles; (5) If you decide to use it, run the script in a controlled environment and replace the 'PLACEHOLDER_TOKEN' only via a secure, least-privilege OAuth flow with clear revocation steps. These inconsistencies make the skill suspicious until its auth and consent flow are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770k12fhcsn98xhb45b1tczd80kh8j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments