ClawHub

Prayer Times, World Salah Times

Security checks across malware telemetry and agentic risk

Overview

This prayer-time skill appears purpose-aligned and not malicious, but users should know it can contact third-party services for location and prayer-time lookups.

Install only if you are comfortable with the skill contacting third-party services such as IP geolocation, geocoding, and prayer-time APIs. For better privacy, provide a city or coordinates manually instead of relying on automatic IP-based location detection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill uses network-dependent features including IP-based geolocation, geocoding, and a prayer-times API, but the metadata does not appear to declare permissions in a structured way. This creates a transparency and consent issue because users and platform controls may not be clearly informed that external network access occurs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill advertises automatic location detection via IP without a clear, prominent privacy warning or explicit user consent flow. IP-based geolocation reveals approximate user location to third parties and may surprise users who expect a simple local computation rather than external disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill automatically contacts ipapi.co to infer the user's location from their IP address when no location argument is provided, but it does not present a disclosure or obtain consent before sending data to a third party. This creates a privacy issue because merely using the skill can expose the user's network-derived location and metadata to an external service without an explicit opt-in.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal