ClawHub

Prayer Times - Automated Salat Reminders

Security checks across malware telemetry and agentic risk

Overview

The prayer-time lookup is legitimate, but the reminder setup asks agents to create and restore persistent background jobs without asking the user.

Install only if you want persistent background prayer reminders, not just one-time prayer lookup. Before enabling reminders, review the exact cron jobs, confirm where prayer_times.json will be stored, know how to remove the jobs, and avoid adding the AGENTS.md instruction that says to recreate jobs without asking. Do not run the Cloudflare WARP sudo commands unless you understand the system-wide networking impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guide explicitly instructs the agent to recreate missing cron jobs automatically, which expands the skill from providing prayer times into persistent host-level system administration. This creates unauthorized persistence and scheduled execution behavior that can outlive the user's immediate request and could be abused to run recurring actions without clear consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The AGENTS.md snippet directs the agent to perform cron verification and remediation at every session start, regardless of the user's current request. That introduces recurring host inspection and mutation outside the normal scope of a prayer-times skill, increasing the chance of unauthorized changes and establishing persistent behavior across sessions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs users to install and connect Cloudflare WARP using privileged system commands, which expands the skill from prayer lookup into host and network reconfiguration. Changing system networking/VPN state can affect all traffic on the machine, bypass organizational controls, and create a broad attack surface disproportionate to the skill's purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document instructs agents to inspect host system state at every session and verify cron-job existence, which exceeds the least-privilege scope of a prayer-times lookup skill. Even if intended for reliability, normalizing persistent host monitoring creates a pathway for broader system enumeration and unauthorized operational control.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Telling an agent to recreate missing cron jobs automatically without asking authorizes autonomous modification of host scheduling infrastructure. In practice, this can be abused to establish persistence, overwrite legitimate schedules, or introduce recurring tasks the user did not approve, which is especially dangerous because the skill's purpose does not justify unsupervised system changes.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This script adds a GitHub remote and pushes the local repository to a public destination, which is unrelated to the stated prayer-times functionality of the skill. In an agent-skill context, bundling repository-publication capability increases the risk of accidental source disclosure, leaking embedded secrets or proprietary code, and enabling unintended exfiltration if the script is invoked by tooling or an operator without careful review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The text tells the agent to fix missing components immediately by recreating cron jobs and fetching local files without first notifying or asking the user. Silent modification of scheduled tasks and local data is dangerous because it bypasses informed consent and normal safeguards for persistent system changes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The AGENTS.md snippet uses imperative language like 'don't wait, don't ask' to instruct autonomous recreation of cron jobs and immediate script execution. In security terms, this is especially risky because it normalizes undisclosed persistent system modification and can override user expectations or platform consent boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes reminders that appear automatically during unrelated conversations, but it does not clearly frame this as persistent autonomous behavior that continues after initial setup. In an agent-skill context, undocumented background actions reduce informed user consent and can lead users to enable recurring behavior they did not fully understand.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup section says 'one command sets up everything' and later notes that two cron jobs are created, but it does not provide a clear, upfront warning that the user is authorizing recurring scheduled jobs on their system. This is dangerous because users may copy setup text without understanding they are enabling ongoing autonomous execution outside the immediate interaction.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill advertises background reminders that can alert 'even during conversations' without a clear warning about persistence and interruptive behavior. In an agent environment, that can surprise users, leak contextual presence information, and normalize unsolicited background actions beyond the immediate request.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The setup guidance encourages cron-based background jobs and saving prayer_times.json but does not clearly warn users that this creates persistent scheduled execution and local retained data. Persistent jobs can continue operating after the user forgets about them, and stored location/prayer-time data may expose sensitive behavioral or religious information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatic cron-job recreation without warning or confirmation bypasses user intent and violates safe-change practices. Because cron provides persistent execution, silent reinstallation materially increases the risk of covert persistence and ongoing unauthorized activity even if the original feature was framed as a reminder system.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This scheduled job writes prayer_times.json on a recurring basis in an isolated session with delivery.mode set to none, so the action happens silently without user-facing disclosure. Even though the write appears functionally legitimate for reminder support, silent background persistence can surprise users, obscure state changes, and create opportunities for misuse if location inputs or file paths are later influenced by untrusted data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document includes a broad destructive instruction to remove all prayer-times cron jobs without warning about scope, confirmation, or recovery. In an agent environment with job-management tools, this can cause unintended deletion of multiple scheduled tasks and disrupt reminder functionality or other similarly named jobs if matching is overly broad.

Session Persistence

Medium
Category
Rogue Agent
Content
**Option A: Via Chat**
```
Add a cron job to fetch prayer times daily at midnight and check every 5 minutes for reminders. Use Rabat, Morocco (timezone +1).
```

**Option B: Via Tool Call**
Confidence
91% confidence
Finding
Add a cron job to

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal