Back to skill
Skillv1.0.0
ClawScan security
Prayer Times, World Salah Times · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and external requests match its stated purpose (fetching prayer times); nothing in the package requests unrelated credentials or performs unexplained actions.
- Guidance
- This skill appears to do exactly what it says: call ipapi.co to auto-detect IP-based location, use OpenStreetMap Nominatim to geocode typed locations, and query Aladhan for prayer times. No credentials are requested. Before installing, consider privacy: if you use 'auto-detect' your IP address (and approximate location) is sent to ipapi.co; every lookup makes network requests to third-party APIs (they will see the query). If you need stronger privacy, run the script locally and avoid auto-detect or route requests through a privacy-preserving proxy. Also note public APIs (especially Nominatim) have fair-use rules and rate limits — for heavy automated use you should obtain appropriate API access or host your own service.
Review Dimensions
- Purpose & Capability
- okName/description claim prayer times worldwide; included code and SKILL.md only require network access to ipapi.co (IP-based location), OpenStreetMap Nominatim (geocoding), and Aladhan API (prayer times). Those requirements are appropriate and expected for the stated functionality.
- Instruction Scope
- noteRuntime instructions and the script limit activity to network calls for location detection, geocoding, and fetching prayer times. Note: the auto-detect feature sends the agent's IP to ipapi.co (and all location queries go to external APIs). The SKILL.md claims 'No personal data stored' — the skill itself doesn't persist data, but external services will see the requestor's IP and any queried location strings.
- Install Mechanism
- okNo install spec; this is instruction-only with a small bundled Python script. No downloads from untrusted URLs or package installs are performed.
- Credentials
- okNo environment variables, credentials, or config paths are required. The absence of secret requests is proportionate to the functionality.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or change other skills' configurations. It does not write files or store tokens.