Back to skill

Security audit

Muslim Holiday Calendar

Security checks across malware telemetry and agentic risk

Overview

This is a small local calendar helper with some overstated documentation, but it does not request sensitive access or make system changes.

Install only if you are comfortable running a local Python script and treat the dates as approximate. Verify important religious observances with a trusted local authority, and expect to use the script's actual commands: holidays, next-holiday, countdown, is-friday, and info.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The skill metadata and documentation promise Hijri date conversion and support for specific holidays like Ashura, but the described behavior indicates those features are missing while adding an unrelated Friday-labeling behavior. This kind of description-behavior mismatch can mislead users and downstream agents into trusting inaccurate religious/calendar outputs, which can cause incorrect scheduling or decision-making based on false assumptions about the tool’s capabilities.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.