Imam
PassAudited by ClawScan on May 1, 2026.
Overview
This prayer-leading skill appears purpose-aligned and transparent, with the main things to notice being optional cloud TTS credentials, broad activation, and stored user preferences.
Before installing, make sure any Google or AWS credential you provide is dedicated to text-to-speech and not broadly privileged. Expect the skill to remember basic language preferences and to run a local prayer-time helper. The artifacts do not show hidden exfiltration, destructive behavior, or unrelated permissions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the cloud credential is over-privileged or exposed elsewhere, it could affect the user's cloud account beyond this skill's intended TTS use.
The skill requests cloud TTS credentials for voice synthesis. This is consistent with its purpose, but service account keys and provider secrets are sensitive.
GOOGLE_APPLICATION_CREDENTIALS=/path/to/your-service-account.json ... AWS_ACCESS_KEY_ID=your_key ... AWS_SECRET_ACCESS_KEY=your_secret
Use a dedicated, least-privileged service account for Text-to-Speech only, keep the JSON key private, and avoid reusing broad cloud credentials.
The assistant may remember the selected language or prayer-mode preference across future interactions.
The skill explicitly stores a user preference for future use. This is purpose-aligned and limited to language/preference behavior.
Supported languages: Arabic ... Bengali. Store preference in memory.
Only store non-sensitive preferences, and ask the agent to forget or update them if they are no longer wanted.
The agent may execute a local script to determine prayer times, but the script's behavior shown in the artifacts is limited to calculating and printing times.
The skill may run an included local Python helper to calculate prayer times. The provided script is purpose-aligned and does not show network access, credential handling, or destructive actions.
If not stated, calculate the current prayer based on location + time using `{baseDir}/scripts/prayer_times.py`.Keep using the included script as-is and review any future changes before allowing it to run.
The skill might activate during an unrelated conversation about prayer times or prayer names, though it is instructed to ask for confirmation before starting.
The activation scope is broad, especially with the skill marked always-on in metadata, so casual mentions of prayer names could trigger the skill's workflow.
Activate when the user says or types ... Any of the five prayer names alone or with "prayer"
Confirm before beginning any prayer flow, and narrow activation phrases if accidental activation becomes disruptive.
Users have less external context for who maintains the skill or where to verify updates.
The artifacts do not provide an upstream source or homepage for provenance. No remote installer or suspicious dependency is shown, so this is only a provenance note.
Source: unknown; Homepage: none
Install only if you trust the registry owner or have reviewed the included files, and re-check future versions before updating.