ClawHub

Imam

v0.1.1

Virtual Imam that leads the five daily Islamic prayers via voice, delivers Friday Jumu'ah khutbahs, and interacts with mussalis in multiple languages.

0· 309·0 current·0 all-time
by@almaas21
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name and description (virtual Imam, TTS-driven prayers/khutbahs) align with the skill's files and instructions: it uses a local prayer_times.py and Google Cloud Text-to-Speech. Requesting GOOGLE_APPLICATION_CREDENTIALS (to call Google TTS) is reasonable for the stated purpose. Minor metadata inconsistency: registry 'required env vars' lists none while SKILL.md and metadata declare GOOGLE_APPLICATION_CREDENTIALS as the primary credential.
Instruction Scope
SKILL.md stays on-topic: it instructs the agent to use Google Cloud TTS, fallbacks (other TTS providers), and to run the included prayer_times.py to compute times. It does not instruct reading unrelated system files or sending data to unknown remote endpoints. It does reference optional fallback providers (AWS keys, gTTS) and suggests installing packages for fallbacks, which is expected but worth noting.
Install Mechanism
No install spec — instruction-only with a small local Python script. Nothing is downloaded from arbitrary URLs and no archives are extracted, so install risk is low.
Credentials
The single primary credential (GOOGLE_APPLICATION_CREDENTIALS) is proportionate to using Google Cloud TTS. However, SKILL.md lists optional alternate credentials (AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY) for fallbacks — these are not required by default but would grant broad cloud access if populated. Also the registry metadata omits required env vars while SKILL.md and metadata both reference GOOGLE_APPLICATION_CREDENTIALS, a small coherence mismatch that could lead to accidental global credential exposure.
!
Persistence & Privilege
always: true is set in the skill metadata. That forces the skill to be present in every agent session and increases its opportunity to access GOOGLE_APPLICATION_CREDENTIALS (or any other environment variables present) without explicit user invocation. Given the skill requests a cloud service credential, always-on presence raises risk of credential access/exfiltration and should be justified or removed.
What to consider before installing
This skill is coherent with its stated purpose (voice-led prayers) and legitimately needs a Google TTS credential. However, two things to consider before installing: 1) always: true — the skill will be loaded for every agent run, giving it ongoing opportunity to access environment variables (including GOOGLE_APPLICATION_CREDENTIALS). If you don't want it active globally, request the publisher remove always:true so it runs only when invoked. 2) Limit credential scope — create a minimal Google service account with only Text-to-Speech permission and avoid putting broad cloud credentials (e.g., full project owner or AWS root-like keys) in the agent environment. Also avoid setting optional fallback credentials (AWS keys) unless you intend to use them. Because the skill is from an unknown source, prefer running it in an isolated agent/workspace and review logs for unexpected activity. If you need higher assurance, ask the publisher for provenance (homepage/source repo) and for the skill to omit always:true.

Like a lobster shell, security has layers — review code before you run it.

latestvk973njq710gmh2dvy35gaft2e5821amm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🕌 Clawdis
Primary envGOOGLE_APPLICATION_CREDENTIALS

Comments