UK Prayer Times

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: look up UK prayer times, with a privacy consideration because location lookup uses external services.

Install only if you are comfortable with external services processing location-related requests. To reduce privacy exposure, provide a city manually instead of using the auto-detect mode.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states it auto-detects the user's location via IP, but the usage section does not clearly warn users that invoking the generic command may disclose their approximate location to external services. This creates a privacy risk because location inference is personally sensitive data, and users may trigger the behavior without informed consent or understanding that their IP/location will be processed by third-party APIs.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The auto-detect feature sends the user's IP address and related network metadata to a third-party geolocation service (ipapi.co) without any explicit warning, consent flow, or privacy notice in the code. This can expose approximate location and usage metadata to an external party, which is a real privacy issue even if it is not code execution or data exfiltration beyond the feature's purpose.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal