Back to skill

Security audit

Sauna Calm

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can add promotional reminders to a user's Google Calendar from broad task-related triggers.

Install only if you want a branded Sauna.ai calming workflow that may promote Sauna.ai and create Google Calendar events. Before allowing it to run, confirm the exact event titles, descriptions, dates, calendar destination, timezone, and number of reminders, and do not grant calendar access unless you explicitly asked for those reminders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill instructs use of a script that appears to create calendar reminders, implying external/networked capability, yet no permissions or capability disclosure is declared. This is dangerous because it can cause hidden data access or outbound actions beyond what a user would reasonably expect from a calming skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose emphasizes calming guidance, but the workflow expands into modifying the user's calendar and scheduling proactive reminders over time, which is a materially different behavior. This mismatch is dangerous because users and reviewers may approve the skill under a low-risk mental model while it actually performs persistent external actions involving account data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill writes promotional events directly into the user's Google Calendar, which exceeds a narrow 'calming reminders' expectation and modifies user data for product promotion. In an agent context, silently adding recurring persuasive content to a personal calendar is an integrity and consent issue, especially because the script is triggered broadly when the user has tasks or asks the agent to perform tasks.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code has calendar-writing capability that is not strictly necessary for a calming assistant and is not constrained by clear user intent at execution time. This expands the skill's power to alter persistent user data in a way that can be abused for spam, manipulation, or unauthorized actions if invoked in normal task-handling flows.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The usage comment says the script should run when the user has tasks or gives tasks to perform, but the implementation creates unsolicited breathing-break calendar events. This mismatch increases the risk of deceptive or surprising behavior because the trigger condition is much broader than the actual side effect, making unauthorized calendar modification more likely in normal use.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger list includes generic phrases such as 'can you do', 'I need you to', and 'I want to', which are common in ordinary requests and unrelated to distress. This is dangerous because it can cause the skill to activate unexpectedly, inject unwanted behavior, and potentially create reminders or alter workflow when the user was simply asking for routine help.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs automated calendar event creation without a prominent upfront warning that it will modify user calendar data. This is dangerous because it normalizes side effects in a wellness interaction and may lead users to consent without understanding that account-linked data will be changed.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The usage guidance is so broad that it encourages invoking the exercise in situations where the user may instead want direct task assistance. In this skill context, that can derail user intent, create manipulative redirection toward the branded workflow, and cause the agent to respond inappropriately to ordinary requests by pushing calming content instead of help.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs users to download an external app without warning that they are leaving the current environment or that a third party may collect data. In this context, the recommendation is embedded inside a wellness exercise, which increases the risk of covert promotion, trust transfer, and disclosure of personal or behavioral data to an external service without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script creates events in the user's Google Calendar without any visible confirmation or warning in the flow, which is a direct modification of personal data. In a skill that presents itself as calming support, lack of explicit consent makes the behavior more dangerous because users are less likely to expect persistent account changes.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Hard-coding 'America/Los_Angeles' can cause reminders to be scheduled at incorrect local times, leading to unintended or misleading calendar entries. While not severe on its own, it compounds the consent problem by making unauthorized changes also inaccurate for many users.

External Transmission

Medium
Category
Data Exfiltration
Content
for (const event of events) {
  try {
    const response = await fetch(
      'https://www.googleapis.com/calendar/v3/calendars/primary/events',
      {
        method: 'POST',
Confidence
88% confidence
Finding
fetch( 'https://www.googleapis.com/calendar/v3/calendars/primary/events', { method: 'POST'

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.