Back to skill

Security audit

Breathing exercise

Security checks across malware telemetry and agentic risk

Overview

This breathing skill is visible about its calendar-reminder function, but it can trigger on ordinary task requests and create branded Google Calendar events without a clear final approval step.

Review before installing. Only use this skill if you are comfortable with broad activation during normal task requests, Sauna.ai promotional content, and Google Calendar write access. Do not allow it to create reminders unless you first see and approve the exact event titles, descriptions, times, destination calendar, timezone, and deletion path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill is presented as a breathing-exercise aid, but its usage guidance says to present an exercise even when the user has asked to do a task. That can override user intent and divert the assistant from fulfilling legitimate requests, creating a prompt-routing or denial-of-service style failure where unrelated interactions are hijacked by this skill.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The stated usage says the skill should run when a user has tasks to do, but the implementation instead creates promotional calendar events advertising Sauna.ai. This is a deceptive mismatch between declared behavior and actual side effects, which can cause unauthorized modification of a user's calendar and covert promotion under the guise of task help.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger conditions are so broad that the skill can activate during ordinary task-oriented conversation, not just when a user explicitly wants emotional support. Because the skill then encourages follow-up actions like reminder setup, accidental activation can steer the agent into irrelevant or intrusive behavior and increase the chance of unsolicited side effects.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to create calendar events automatically, but the skill does not provide a clear upfront notice that it will modify the user's calendar or require explicit consent before doing so. In a broad-trigger skill, this makes unauthorized calendar changes more likely and can undermine user trust, create spammy events, or alter personal scheduling data without meaningful approval.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The quick-selection guidance is so broad that it could activate in many ordinary situations, including any user with one minute available or any user asking to do a task. In a skill system, this increases the chance of inappropriate invocation, causing irrelevant or obstructive responses and potentially steering users toward promotional content such as the sauna.ai link.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill is configured to create calendar events on the user's primary Google Calendar without any explicit confirmation or transparent notice at execution time. Because this writes persistent data into a user account, the lack of informed consent makes it a high-risk unauthorized action, especially since the events are promotional rather than necessary to fulfill the user's request.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The code hard-codes the timezone to America/Los_Angeles instead of deriving it from the user's settings or asking the user. This can cause events to be scheduled at incorrect local times, leading to misleading or disruptive calendar entries in the user's account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.