Back to skill

Security audit

Jadwal Sholat

Security checks across malware telemetry and agentic risk

Overview

This skill coherently looks up Indonesian prayer times from a disclosed public API and shows no hidden access, credential use, persistence, or destructive behavior.

Before installing, be comfortable with your city or location query, date or month, and timezone being sent to api.myquran.com. Do not enter unrelated private information as a location search term; the skill does not request credentials or ongoing access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation clearly instructs use of an external API and helper script, so the skill has network capability despite not declaring permissions. This is not inherently malicious, but the missing permission declaration weakens transparency and review controls because users and tooling may not be alerted that data is sent off-platform.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.