ClawHub
Back to skill

Security audit

Jewish Zmanim Calculator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Jewish calendar and zmanim calculator, with ordinary location/API privacy caveats and some documentation overstatements.

Use explicit city or coordinate inputs and assume those coordinates may be sent to Hebcal when calculations run. Do not rely on the documented IP, ZIP, or positional command examples without verifying they work, and verify important halachic times with a trusted local source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation clearly indicates network use via Hebcal API, GeoNames lookups, and IP-based location detection, yet no corresponding permissions are declared. This creates a transparency and policy gap: users or the hosting platform may not realize the skill can transmit location-related data off-device, increasing privacy and trust risk.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes broad terms like 'sunrise', 'sunset', and 'minyan', which can match ordinary conversation and cause the skill to activate unintentionally. While this is not direct code execution risk, unintended activation can expose user context, invoke network lookups, or surface religious/calendar data when not requested.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start example advertises automatic location detection by IP without any visible privacy notice or opt-in. Because location can be inferred and sent to external services, users may unknowingly disclose sensitive geographic information, especially in a skill tied to religious practice and routine timing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.