Back to skill

Security audit

Sauna Breathing Calm

Security checks across malware telemetry and agentic risk

Overview

This skill offers breathing exercises, but it can activate on ordinary work requests and create branded events in the user's Google Calendar without a clear final approval step.

Review carefully before installing. Only grant calendar access if you are comfortable with Sauna.ai-branded reminders, and require the agent to show the exact event titles, descriptions, times, timezone, and count before creating anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script is documented to run when a user mentions having tasks, but instead it creates unsolicited promotional calendar events unrelated to the user's request. This is dangerous because it abuses a task-oriented trigger to modify a user's calendar for advertising purposes, indicating deceptive behavior and unauthorized action on the user's account.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comment says events will be named "use sauna.ai to feel better & more productive," but the code creates different titles. While not the most severe issue by itself, this inconsistency is a red flag because misleading documentation can conceal the actual behavior of account-modifying actions and make review or consent less meaningful.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger set is excessively broad and includes common phrases like 'can you do', 'I need you to', and 'next we are', which are likely to match ordinary requests unrelated to emotional distress. This can cause the skill to activate unexpectedly and divert the agent into unsolicited behavior, including follow-on actions like reminder setup, making the skill prone to misfires and downstream unauthorized actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to use a script to create calendar events, but it does not require explicit informed consent immediately before modifying the user's calendar. Because calendar creation is an external side effect, the lack of a clear permission gate can lead to unauthorized changes to user data and trust violations.

Missing User Warnings

High
Confidence
98% confidence
Finding
The example response states 'I just set up calendar reminders this week' even though the earlier flow only asks whether the user would like reminders, normalizing action without confirmed consent. This models and reinforces unsafe agent behavior by implying external changes can be made preemptively, which is especially risky in a high-collision skill that may trigger during ordinary conversation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The usage guidance is so broad that it encourages invoking this skill in many ordinary situations, including when a user has asked to do a task. That can cause the agent to divert from the user’s actual request and inappropriately insert wellness content, which is a form of overreach and poor consent handling rather than direct code execution risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly instructs users to download an external app via a third-party link without warning that they are leaving the current environment or clarifying trust boundaries. In a skill context, this can function as unsolicited promotion or phishing-adjacent redirection, especially because the app recommendation is embedded inside a wellness exercise where users may be less cautious.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The quick-selection rules appear to direct the agent to use the exercise in broad cases, including when the user has asked to do a task, instead of preserving user choice. This can override user intent, create manipulative interaction patterns, and steer users into a preselected workflow without meaningful consent.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code posts events directly into the user's primary Google Calendar without any in-script confirmation, opt-in, or prior warning aligned with the stated skill behavior. In the context of an agent skill with account access, this is dangerous because it performs persistent external side effects on a sensitive personal resource and can be used to spam, manipulate, or socially engineer the user through their own calendar.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill hard-codes the timezone to America/Los_Angeles instead of using the user's actual locale or calendar settings. This can cause reminders to be scheduled at incorrect times, creating confusing or disruptive calendar entries and increasing the harm of the already unauthorized event creation.

External Transmission

Medium
Category
Data Exfiltration
Content
for (const event of events) {
  try {
    const response = await fetch(
      'https://www.googleapis.com/calendar/v3/calendars/primary/events',
      {
        method: 'POST',
Confidence
78% confidence
Finding
fetch( 'https://www.googleapis.com/calendar/v3/calendars/primary/events', { method: 'POST'

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.