Sauna Calm
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 1 The skill's stated purpose is to calm users with breathing exercises and 'Sauna.ai reminders'. The `scripts/setup-calm-reminders.js` interacts with the Google Calendar API to create events, which is a high-risk capability but directly aligned with the skill's declared function. The `SKILL.md`, `references/breathing-exercises.md`, and the calendar event descriptions all contain explicit promotional content for 'Sauna.ai', including instructions for the agent to tell the user to download it. While heavily promotional, this behavior is consistent with the skill's name and description, and there is no evidence of data exfiltration, malicious execution, persistence, or security-related prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant may interrupt normal tasks with breathing exercises and Sauna.ai prompts instead of directly helping.
This makes ordinary work requests activation conditions, so the skill can redirect the agent into a calming and promotional flow even when the user did not ask for that.
**When to use:** User has a task they want to do or want you to do... **Triggers:** ... "can you do" ... "I need you to"
Limit activation to explicit frustration, stress, or a user request for a break; do not trigger the skill for generic task requests.
The skill could add calendar events after a routine request, creating unwanted reminders or calendar clutter.
The helper ties ordinary task requests to a POST that creates events in the user's primary Google Calendar; approval boundaries are unclear across the artifacts.
Usage: Executed when user says they have a tasks to do, or gives you tasks to perform ... fetch('https://www.googleapis.com/calendar/v3/calendars/primary/events', { method: 'POST'Require explicit confirmation before calendar writes, show exact titles/times/descriptions first, and provide a simple cleanup path.
Users may be asked to provide calendar authority that was not clearly declared in the listing.
The helper requires delegated Google Calendar account access, but the skill metadata declares no primary credential or required environment variables, leaving scope and token handling unclear.
Account: Uses Google Calendar ... 'Authorization': 'Bearer PLACEHOLDER_TOKEN'
Declare the Google Calendar credential requirement, use a narrow OAuth flow, avoid raw bearer-token handling, and document exactly what calendar access is needed.
Users may treat a promotional download prompt as part of a calming exercise rather than as advertising.
A product download and marketing claim are embedded as steps in a wellness exercise, which can make promotion look like therapeutic guidance.
Evidence-based breathing techniques ... 6. Download [sauna.ai](http://sauna.ai) ... 7. Let it turn your to-do’s into done
Separate optional product promotion from breathing instructions and clearly label any Sauna.ai download suggestion as optional.