ClawHub

Islamic Companion

Security checks across malware telemetry and agentic risk

Overview

This skill appears to match its advertised Islamic utility purpose, with reviewable scheduling output and some privacy and transport-security caveats.

Before installing, be comfortable with third-party API calls for location, Quran queries, quotes, and Zakat data. Prefer ZAKAT_API_KEY over storing a key in config.json, install jq for safer parsing, review any CRON_ADD output before allowing scheduling, and consider changing HTTP endpoints to HTTPS and pinning requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and enables sensitive capabilities including network access, shell execution, local file read/write, and environment variable use, yet declares no permissions or trust boundaries. This creates a real security issue because users and agents cannot accurately assess what the skill may access or modify, especially since it can generate automation commands and use API keys.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose understates the actual behavior of the skill, which also performs Quran retrieval, quote fetching, calendar generation, cron-related automation output, and configuration changes. Description-behavior mismatch is dangerous because it weakens informed consent and can cause an agent or user to invoke higher-risk behaviors than expected, particularly anything related to persistence or system scheduling.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code emits a CRON_ADD job that schedules autonomous daily announcements without clear user consent beyond invoking --setup and without any visible permission, confirmation, disable, or audit controls. In agent environments, unattended recurring actions expand the skill's effective authority and can be abused for persistent unsolicited messaging or social-engineering delivery.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file adds quote retrieval and scheduled quote delivery functionality that is outside the declared skill scope of prayer times, fasting schedules, and Zakat calculations. Scope drift matters in agent skills because it expands what the skill can cause the platform to do, including initiating recurring behavior the user may not reasonably expect from the manifest description.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code emits a cron-style job that schedules a daily agent turn, creating persistent automated behavior unrelated to the stated purpose. In an agent environment, unattended recurring execution increases risk because it can produce unexpected messages, normalize hidden automation, and serve as a foothold for future abuse if the skill later changes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code sends user-supplied city and country data to a third-party API over plain HTTP, which exposes the request to interception and tampering by anyone on the network path. Even if the data is not highly sensitive, location queries are personal data and the lack of transport security creates both privacy and integrity risks.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The scheduled automation hard-codes Asia/Jakarta, which can cause actions to run at unexpected local times for users in other regions. While not severe on its own, this becomes more risky in combination with autonomous announcements because it reduces user awareness and predictability of when the skill will act.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The module uses plain HTTP for Quran API requests, allowing a network attacker to intercept or modify responses in transit. Because the returned content is displayed to users and may be cached, a man-in-the-middle could inject false religious text, misleading content, or malformed data that propagates through the skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code places the API key directly in the request URL query string. Query parameters are commonly exposed in logs, browser/history equivalents, proxy records, monitoring systems, error messages, and upstream infrastructure, so the secret may be disclosed even when HTTPS is used. In this skill context, the key appears to protect access to a third-party service rather than highly sensitive user data, which keeps impact moderate but still makes credential leakage a real risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill transmits precise latitude and longitude from local configuration to a third-party API. Even though this is necessary for prayer-time functionality, undisclosed sharing of location data creates a privacy risk because it reveals sensitive user location information to an external service.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code sends an API key to a third-party Zakat service without any disclosure in this file or manifest context. While API keys are expected in authenticated requests, lack of transparency about the external service and secret use increases operational and privacy risk if users or deployers are unaware of where credentials are being sent.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The skill hard-codes the timezone to Asia/Jakarta without deriving it from user settings or asking for consent. While not a direct code execution issue, this can cause automation to run at unintended times, undermining user expectations and making scheduled agent behavior less transparent and trustworthy.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The search method transmits raw user-provided keywords to a third-party service without disclosure or minimization, which can expose potentially sensitive religious interests or personal queries. This risk is increased because the transmission occurs over plain HTTP, allowing interception of the search terms in transit.

External Transmission

Medium
Category
Data Exfiltration
Content
local enc_city=$(url_encode "$city")
    local enc_country=$(url_encode "$country")
    
    local url="http://api.aladhan.com/v1/calendarByCity?city=${enc_city}&country=${enc_country}&method=${CALCULATION_METHOD}&school=${CALCULATION_SCHOOL}&month=${month}&year=${year}"
    
    local response=$(api_call "$url")
    if [ $? -eq 0 ] && [ ! -z "$response" ]; then
Confidence
97% confidence
Finding
http://api.aladhan.com/

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
Confidence
98% confidence
Finding
requests

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal