Back to skill

Security audit

UK Prayer Times

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: look up UK prayer times, while using third-party location and prayer-time services.

Install only if you are comfortable with the skill contacting third-party services for location and prayer times. To reduce privacy exposure, provide a city manually instead of using the auto-detect mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill uses network-dependent functionality and even states it requires internet access, but the metadata does not appear to declare permissions in a structured way. Undeclared network capability reduces transparency and informed consent, especially because the skill may contact external services for IP-based location lookup and prayer-time retrieval.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The primary trigger phrase 'prayer times' is broad and likely to overlap with ordinary user requests, which can cause the skill to activate unexpectedly. This is primarily a security-boundary and safety issue because over-broad invocation can route user queries to a networked third-party skill without clear intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises auto-detecting location via IP but does not clearly warn that location-related data and potentially the user's IP-derived location will be sent to external services. This creates a privacy risk because users may not realize their location context is being inferred and shared off-platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When no location argument is provided, the script automatically contacts ipapi.co and discloses the user's IP-derived network metadata to a third party before obtaining consent or giving a warning. In a location-based utility this may seem convenient, but it still exposes approximate location and request metadata externally and can violate user privacy expectations or enterprise data-handling policies.

External Transmission

Medium
Category
Data Exfiltration
Content
def get_prayer_times(lat, lon):
    """Fetch prayer times"""
    try:
        url = f"https://api.aladhan.com/v1/timings?latitude={lat}&longitude={lon}&method=2"
        req = urllib.request.Request(url, headers={'User-Agent': 'UKPrayerTimes/1.0'})
        with urllib.request.urlopen(req, timeout=10) as response:
            data = json.loads(response.read())
Confidence
78% confidence
Finding
https://api.aladhan.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.