Back to skill

Security audit

Daily Devotion

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly described Christian daily-devotion generator with a disclosed verse API call and no evidence of hidden data access or harmful behavior.

Install this if you want explicitly Christian devotional content. Be aware it may personalize prayers from context you provide or that your agent already knows, it may contact OurManna to fetch a daily verse, and any optional npm/npx helper package should be reviewed before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill directs the agent to make a network request to an external API and also references helper scripts that fetch remote content, but it does not clearly require explicit user awareness or consent at the moment of use. This can expose user context, metadata, or invocation behavior to third parties and creates a supply-chain/privacy boundary the user may not expect.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill mandates a single religious closing formula and gives no option to tailor or omit it based on user preference. In a devotional skill this is contextually expected, but forcing a specific faith expression without opt-in can create consent, inclusivity, and trust issues, especially if invoked in broader or mixed-audience contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.