Daily Devotion
v1.1.1Creates personalized daily devotions with verse of the day, pastoral message, structured prayer, and time-aware greetings
⭐ 1· 1.9k·1 current·1 all-time
byEric Kariuki@enjuguna
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (generate daily devotions from OurManna) is plausible, but SKILL.md explicitly requires Node.js/TypeScript, npm/npx helper scripts, and Internet access while the registry metadata lists no required binaries, env vars, or install spec. That mismatch is incoherent: either the skill is instruction-only and should not require installing code, or it legitimately needs Node/npm and should declare that.
Instruction Scope
Instructions tell the agent to call the OurManna API (expected) and optionally run helper scripts via npx/ts-node (which executes code). They also ask to 'personalize' using the user's known context/profile — a vague directive that could push the agent to gather or use additional user data. There are no explicit instructions to read local files or secrets, but the personalization guidance grants broad discretion and is not constrained.
Install Mechanism
No formal install spec is present in the registry (instruction-only), yet SKILL.md directs users to 'npm install daily-devotion-skill' or use 'npx daily-devotion-skill' and references a GitHub repo. Running npx/npm installs from external registries can execute arbitrary code; the lack of a declared install step in the manifest is an inconsistency and increases risk because the skill may rely on code not present in the platform.
Credentials
The skill requests no environment variables or credentials (proportionate for a read-only verse fetch). However, personalization instructions imply the agent should use user profile/context; that could lead to accessing user data not explicitly requested. No secrets are requested, which is appropriate, but the vague personalization could cause overreach.
Persistence & Privilege
The skill does not request persistent installation, elevated privileges, or 'always' inclusion. It is user-invocable only and does not ask to modify other skills or system-wide settings.
What to consider before installing
Before installing or running this skill:
- Note the mismatch: the manifest declares no install/runtime requirements, but SKILL.md expects Node.js, npm/npx, and ts-node. Treat the npm usage as a request to run third-party code.
- Verify the npm package and GitHub repository (https://github.com/enjuguna/Molthub-Daily-Devotion). Inspect its source code and any postinstall or executable scripts for unexpected network calls or data access before running npx or npm install.
- Understand personalization: the skill asks to tailor devotions to the user's "known context/profile" — confirm what data the agent will use (profile fields, message history, contacts). If you want to limit data access, avoid granting extra profile/context to the skill.
- Be cautious with npx: running npx executes code directly from the registry and can run arbitrary scripts. Prefer auditing the package locally (download and inspect) rather than running via npx.
- Check the OurManna API usage: the endpoint is public, but verify rate limits and whether the package exposes any keys or telemetry.
If you cannot or will not audit the npm package and helper scripts, consider using a purely instruction-only approach (have the agent fetch the OurManna JSON directly and generate devotion text without running third-party code) or decline installing the package.Like a lobster shell, security has layers — review code before you run it.
latestvk9776b5bax3kgj5n1egg62vn7x809hxh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.