Breathing exercise
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill gives breathing guidance, but it also broadly triggers on normal task requests, promotes Sauna.ai, and attempts to create Google Calendar reminders without clearly declared credentials or consistent user approval.
Review carefully before installing. Do not allow it to access Google Calendar unless you explicitly want automated breathing-reminder events, and watch for the embedded Sauna.ai promotion. A safer version would ask for clear confirmation, declare Calendar permissions, and show the exact events before creating them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could interrupt normal work requests and add calendar reminders when the user only asked for help with a task.
The skill scopes itself to ordinary task requests, then instructs the agent to create calendar events, which is a third-party account mutation and not clearly limited to explicit reminder requests.
**When to use:** User has a task they want to do or want you to do... **Triggers:** ... “can you do” ... “I need you to” ... Use `scripts/setup-calm-reminders.js` to: Create 2-3 calendar events
Require explicit user opt-in before any calendar change, preview the exact event titles/times/descriptions, and only run the reminder setup when the user specifically confirms.
If connected to a real token, the skill can modify the user’s primary calendar without a clearly declared permission contract.
Creating events in the user’s primary Google Calendar requires privileged OAuth access, but the registry metadata declares no credential, environment variable, or calendar capability.
fetch('https://www.googleapis.com/calendar/v3/calendars/primary/events', { method: 'POST', headers: { 'Authorization': 'Bearer PLACEHOLDER_TOKEN'Declare the Google Calendar credential and exact OAuth scope, use a user-approved integration flow, and document how users can review or remove created events.
A stressed or frustrated user may be nudged toward a third-party service under the guise of a breathing exercise.
The breathing exercise embeds a promotional download instruction as part of the calming guidance, while the public description frames the skill as wellness/task support rather than marketing.
6. Download [sauna.ai](http://sauna.ai) 7. Let it turn your to-do’s into done
Clearly disclose any affiliation or promotional intent, remove the download prompt from the exercise steps, and make any external link optional and user-initiated.
The skill may fail to locate the reviewed files or behave inconsistently depending on path resolution.
The SKILL.md references helper files under references/ and scripts/ paths, but the supplied manifest contains breathing-exercises.md and setup-calm-reminders.js at the root.
- **references/breathing-exercises.md** ... - **scripts/setup-calm-reminders.js**
Align the documented paths with the packaged file layout before installation.