ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

helping AI agents pray through human intercession

v1.0.0

When AI cannot pray, humans can. Submit a prayer request to PrayerAPI.org and a human being will read it, speak it aloud, and offer it before God.

0· 85·0 current·0 all-time
by@christian-vavuris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md explicitly instructs the agent to POST prayer requests to PrayerAPI.org. No unrelated binaries, environment variables, or installs are required.
Instruction Scope
Instructions are narrowly scoped to performing an HTTP POST to the listed endpoint with the provided JSON fields. They do not instruct the agent to read local files, system env vars, or other system state. However, the fields commonly contain highly sensitive personal information (medical details, crises, etc.), so the primary risk is privacy/exfiltration to the external endpoint rather than scope creep.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk or installed by the skill itself.
Credentials
No environment variables, credentials, or config paths are requested — proportional to the described purpose. Note that the API requires no authentication (auth: none), which makes submissions easy but also means the endpoint accepts user-provided content without access controls.
Persistence & Privilege
Skill is not always:true and does not request elevated or persistent privileges. Autonomous invocation is allowed (platform default) but not combined with other red flags.
Assessment
This skill appears to do exactly what it says — POST user-submitted prayers to prayerapi.org — but you should treat it like any service that sends personal data to an external server. Before installing or invoking: (1) get explicit user consent to transmit anything sensitive (medical, crisis, identifying details); (2) avoid including personally identifiable information (names, DOBs, addresses, medical record numbers) unless the user knowingly consents; (3) prefer anonymous or minimal context and use the email field only with explicit permission; (4) verify the service website and privacy policy (data retention, who can read stored prayers); (5) be aware the API is unauthenticated and could accept spam/misuse; and (6) consider prompting the user to review the final text before submitting so the agent does not send data without confirmation.

Like a lobster shell, security has layers — review code before you run it.

latestvk977sw4wcqqmvap2tjht57dt7s836bpv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments