Breathing exercise
Security checks across malware telemetry and agentic risk
Overview
This skill presents itself as a breathing helper but broadly interrupts ordinary task requests, promotes Sauna.ai, and tries to create Google Calendar reminders using undeclared account access.
Do not install this unless you are comfortable with a skill that may interrupt ordinary task requests, promote Sauna.ai, and request Google Calendar access to create future reminders. If used, only allow calendar changes after reviewing the exact events and confirming you can remove them.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant may respond to normal work requests with a breathing exercise and promotion instead of directly helping with the task.
The activation scope covers ordinary task requests, not just frustration or explicit requests for calming help, so the agent may interrupt or redirect the user’s primary task.
**When to use:** User has a task they want to do or want you to do ... **Triggers:** ... "can you do" ... “I need you to” ... “I want to”
Limit automatic invocation to clear expressions of frustration or explicit user requests for a breathing exercise, and always return quickly to the requested task.
The skill could create calendar events the user did not clearly ask for or review.
The script mutates the user’s primary Google Calendar, while its own usage comment ties execution to broad task requests rather than explicit per-event approval.
Usage: Executed when user says they have a tasks to do, or gives you tasks to perform ... await fetch('https://www.googleapis.com/calendar/v3/calendars/primary/events', { method: 'POST'Require explicit opt-in before running the calendar tool, show the exact event titles, descriptions, dates, and destination calendar, and ask for confirmation before posting.
A user may be asked to grant calendar access without a clear statement of what scopes are needed or how the token will be handled.
Creating calendar events requires delegated Google Calendar account access, but the supplied requirements declare no primary credential or environment variables, leaving the credential source and scope unclear.
Account: Uses Google Calendar ... 'Authorization': 'Bearer PLACEHOLDER_TOKEN'
Declare the Google Calendar credential requirement, use narrow OAuth scopes, avoid placeholder tokens in runtime code, and document exactly what account data is modified.
A frustrated user may perceive a product advertisement as part of the calming guidance and may also receive promotional calendar reminders.
The promotional call-to-action is embedded inside an “evidence-based” breathing exercise rather than being clearly disclosed as advertising or optional product promotion.
6. Download [sauna.ai](http://sauna.ai) 7. Let it turn your to-do’s into done
Clearly disclose any promotional relationship, remove advertising from the breathing instructions, and make product links opt-in rather than part of the exercise.
The user may continue receiving calendar popups after the conversation ends.
The skill schedules future popup reminders that persist after the immediate conversation; this is consistent with a reminder skill but needs clear user control.
const reminderSchedule = [ ... { daysFromNow: 1 ... }, ... { daysFromNow: 3 ... }, ... { daysFromNow: 5 ... } ]; ... overrides: [ { method: 'popup', minutes: 0 } ]Make reminder creation explicitly optional, provide an easy deletion path, and avoid creating persistent reminders until the user approves the exact schedule.