Jadwal Sholat

Security checks across malware telemetry and agentic risk

Overview

This skill only looks up Indonesian prayer times from a clearly named public API and shows no evidence of hidden access, persistence, or harmful behavior.

Before installing, understand that using the skill sends your requested Indonesian city/regency keyword or location ID, requested date or month, and timezone to api.myquran.com. The reviewed version does not ask for credentials, install packages, run in the background, or modify your files or accounts.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly performs outbound network access to a third-party API, but no corresponding permission declaration is documented. This creates a transparency and governance issue: users or hosting platforms may not realize the skill sends queries externally, which can lead to unexpected data disclosure of user-supplied location or date inputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal