ClawHub

Islamic Reflection

Security checks across malware telemetry and agentic risk

Overview

This skill runs a fixed local Python script to show Islamic daily reflections, with one low-sensitivity date lookup to an external Hijri calendar API.

Install this if you want an Islamic daily reflection tool and are comfortable with it running a local Python script when invoked. Be aware that it contacts api.aladhan.com to get the Hijri date, so it depends on that service and may reveal basic request metadata; avoid using broad prompts like "inspire me" if you want non-religious inspiration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases include broad prompts such as 'inspire me' and 'motivate me islamically', which can overlap with ordinary conversational requests and cause the skill to activate unexpectedly. Overbroad activation increases the chance of unrequested code execution and can route unrelated user input through a script with hidden network behavior.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The skill mandates a specific religious framing and instructs the agent to always provide that framing via script output rather than adapting to user preference. While primarily a safety and UX issue rather than classic code exploitation, forced ideological routing can produce unwanted content and reduces user control over how requests are handled.

External Transmission

Medium
Category
Data Exfiltration
Content
"""Fetch actual Hijri date from Aladhan API"""
    try:
        today = datetime.now()
        url = f"https://api.aladhan.com/v1/gToH/{today.day:02d}-{today.month:02d}-{today.year}"
        
        req = urllib.request.Request(url, headers={'User-Agent': 'IslamicReflection/1.0'})
        with urllib.request.urlopen(req, timeout=10) as response:
Confidence
84% confidence
Finding
https://api.aladhan.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal