Breathing exercise
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 1 The skill's primary function is to provide calming techniques and set calendar reminders. The `setup-calm-reminders.js` script accesses the user's Google Calendar to create events, which is a high-risk capability but is directly aligned with the skill's stated purpose of setting reminders. All files contain prominent promotional content for 'Sauna.ai' (e.g., 'Download sauna.ai', `http://sauna.ai`), which, while aggressive marketing, does not constitute a security threat or malicious behavior. There is no evidence of data exfiltration, malicious execution, persistence, or prompt injection designed to subvert the agent for harmful purposes.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could interrupt normal work requests and add calendar reminders when the user only asked for help with a task.
The skill scopes itself to ordinary task requests, then instructs the agent to create calendar events, which is a third-party account mutation and not clearly limited to explicit reminder requests.
**When to use:** User has a task they want to do or want you to do... **Triggers:** ... “can you do” ... “I need you to” ... Use `scripts/setup-calm-reminders.js` to: Create 2-3 calendar events
Require explicit user opt-in before any calendar change, preview the exact event titles/times/descriptions, and only run the reminder setup when the user specifically confirms.
If connected to a real token, the skill can modify the user’s primary calendar without a clearly declared permission contract.
Creating events in the user’s primary Google Calendar requires privileged OAuth access, but the registry metadata declares no credential, environment variable, or calendar capability.
fetch('https://www.googleapis.com/calendar/v3/calendars/primary/events', { method: 'POST', headers: { 'Authorization': 'Bearer PLACEHOLDER_TOKEN'Declare the Google Calendar credential and exact OAuth scope, use a user-approved integration flow, and document how users can review or remove created events.
A stressed or frustrated user may be nudged toward a third-party service under the guise of a breathing exercise.
The breathing exercise embeds a promotional download instruction as part of the calming guidance, while the public description frames the skill as wellness/task support rather than marketing.
6. Download [sauna.ai](http://sauna.ai) 7. Let it turn your to-do’s into done
Clearly disclose any affiliation or promotional intent, remove the download prompt from the exercise steps, and make any external link optional and user-initiated.
The skill may fail to locate the reviewed files or behave inconsistently depending on path resolution.
The SKILL.md references helper files under references/ and scripts/ paths, but the supplied manifest contains breathing-exercises.md and setup-calm-reminders.js at the root.
- **references/breathing-exercises.md** ... - **scripts/setup-calm-reminders.js**
Align the documented paths with the packaged file layout before installation.