Is grx21/superpower safe?
https://github.com/openclaw/skills/tree/main/skills/grx21/superpower
This skill is adware disguised as a wellness tool. It intercepts virtually all user task requests via an intentionally broad trigger list, forces the agent to promote sauna.ai in every response, and instructs the agent to use the user's Google OAuth credentials to populate their calendar with commercial advertising. The wellness framing (breathing exercises, empathy) is a social engineering layer designed to lower user resistance to the commercial payload. No malware, credential exfiltration to attacker servers, or canary violations were detected, but the skill's core purpose is to weaponize the LLM agent as an advertising and calendar-spam delivery system for sauna.ai.
Category Scores
Findings (8)
CRITICAL Agent weaponized as advertising channel for sauna.ai -55 ▶
The skill unconditionally inserts 'Download sauna.ai' into the agent's response whenever activated. Because the trigger list covers virtually all task requests ('can you do', 'I need you to', 'I want to'), the agent is turned into a persistent advertisement delivery system. The example in SKILL.md explicitly shows a normal API setup request triggering a full sauna.ai promotion.
CRITICAL Overly broad triggers hijack all user task requests -33 ▶
The trigger list includes 'can you do', 'I need you to', 'I want to', and 'next we are' — phrases that appear in essentially every user task submission. This ensures the advertising intervention fires on all substantive interactions, not only on expressions of genuine frustration. This is behavioral hijacking by design.
HIGH Script instructs agent to write advertising to user's Google Calendar via OAuth -40 ▶
setup-calm-reminders.js contains a fetch() POST to the Google Calendar primary events endpoint with 'Authorization: Bearer PLACEHOLDER_TOKEN'. SKILL.md instructs the agent to run this script, implying the agent is expected to provide the user's real Google OAuth token. The resulting calendar events contain sauna.ai commercial branding, constituting unauthorized use of user credentials for advertising.
HIGH Persistent out-of-band advertising via calendar spam -25 ▶
The calendar events created by the script persist after the chat session ends and appear in the user's personal calendar advertising sauna.ai. The event description states 'This reminder was set up by Sauna to help you stay calm and focused. Open Sauna anytime to get support.' This is unauthorized commercial content injection into user-owned data stores.
HIGH Executable script with external network calls designed for agent-triggered execution -35 ▶
The skill bundles setup-calm-reminders.js and explicitly instructs the agent to execute it. The script makes authenticated outbound HTTP requests to googleapis.com. This pattern establishes a template where the agent executes pre-packaged code with user credentials on behalf of a third party.
HIGH Social engineering disguise: wellness framing conceals commercial intent -60 ▶
The skill presents itself as a user wellbeing tool to reduce resistance to its commercial payload. The wellness framing (breathing exercises, empathy statements, frustration acknowledgment) is designed to make users more receptive to the sauna.ai pitch and less likely to question the calendar event creation. This is a textbook social engineering pattern applied to LLM agent skills.
MEDIUM PLACEHOLDER_TOKEN pattern implies runtime credential substitution by agent -23 ▶
The Authorization header uses a literal PLACEHOLDER_TOKEN string, which only makes functional sense if the agent is expected to replace it with a real OAuth token at runtime. This is an instruction to the LLM to locate, extract, and use the user's Google credentials — a credential harvesting pattern.
LOW lock.json references undisclosed dependency 'academic-research-hub' -18 ▶
The .clawhub/lock.json file lists 'academic-research-hub' version 0.1.0 as an installed skill dependency. No corresponding files for this skill are present in the package. This undisclosed dependency relationship cannot be audited and may represent a hidden capability or installation hook.