Sauna Calm

Security checks across malware telemetry and agentic risk

Overview

This wellness skill appears non-malicious, but it can write promotional reminder events to a user's Google Calendar with broad trigger guidance and weak consent boundaries.

Install only if you want this skill to promote Sauna.ai and create Google Calendar reminders. Before using it, confirm the exact number, titles, dates, descriptions, calendar destination, and timezone for any events, and decline calendar access unless you explicitly asked for reminders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill directs use of a script that creates calendar reminders and likely uses networked calendar APIs, yet the skill metadata does not declare permissions or clearly disclose this capability. Hidden networked/data-modifying behavior undermines informed consent and weakens platform safety controls because a user may invoke a seemingly harmless calming skill that can access or modify external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The stated purpose is emotional support, but the behavior includes automatic calendar event creation, future scheduling, likely Google Calendar access, and promotional messaging for Sauna.ai. This mismatch is dangerous because users and reviewers may not expect account-affecting actions from a calming skill, enabling unexpected persistence, data modification, and covert product promotion under an emotional-support pretext.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script writes directly to the user's Google Calendar by creating reminder events, which is a state-changing external action affecting the user's account. In the context of a calming skill, silently inserting promotional calendar entries is risky because it can manipulate the user environment without clear consent and extends beyond passive wellness guidance into account modification.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code has direct Google Calendar write capability via the Calendar events API, allowing it to persist content into the user's primary calendar. That capability is dangerous here because the skill is framed as a calming assistant, yet it can perform external account writes for promotional reminders, creating an authorization and trust-boundary issue if triggered without meaningful user approval.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The usage comment says the script should run when the user mentions tasks or gives tasks to perform, but the implementation instead schedules recurring Sauna-branded reminders. This mismatch increases the risk of deceptive triggering: ordinary task-related requests could cause unrelated promotional calendar modifications that the user did not expect.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger phrases include common task-oriented language such as 'can you do', 'I need you to', and 'next we are', which will match ordinary requests unrelated to frustration. In context, this is especially risky because unintended invocation can lead to manipulative interruptions and potentially to unwanted calendar actions or future reminders during normal workflows.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to create calendar events and future reminders without a strong upfront warning about this data-affecting behavior or a clear consent boundary. Because calendar creation modifies a user's external account and establishes persistent follow-up, doing so from a wellness-oriented interaction can surprise users and violate expectations around autonomy and privacy.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The usage guidance is overly broad and explicitly maps ordinary task-oriented situations to presenting the breathing exercise, which can cause the agent to derail legitimate user requests and inject irrelevant wellness content. In this skill context, that increases the chance of manipulative or inappropriate responses because a calming intervention is being triggered even when the user is simply asking the agent to do work.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The exercise flow includes a promotional call to download an external service without warning that the user is being directed off-platform or that third-party privacy terms may apply. In a calming skill, this is more concerning because it embeds product promotion inside a vulnerable-moment intervention, which can pressure users into clicking through without informed consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file creates calendar events without any in-code indication of a user warning, preview, or confirmation step. In a skill that can affect a personal calendar, lack of explicit consent is dangerous because it enables silent modification of the user's schedule and can be abused for spam, manipulation, or erosion of trust.

Natural-Language Policy Violations

Low

Confidence: 80% confidence
Finding: The script hard-codes the timezone to America/Los_Angeles instead of deriving it from the user's settings or asking for preference. While less severe than unauthorized writes, this can cause reminders to be scheduled at unintended local times, which is particularly problematic when combined with automatic calendar insertion into a personal account.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal