Islamic Companion

The skill's code, network calls, and configuration needs match its stated purpose (prayer times, fasting, Zakat, Quran, quotes); no unexplained credentials or hidden exfiltration were found, though there are a few minor inconsistencies and usability/security caveats to review before use.

This skill appears to do what it claims. Before installing or running it: 1) Inspect whether a ./bin/islamic-companion wrapper is included in the package (the manifest provided shows lib/ and src/ files but no bin/ script); if missing, review src/main.py / lib scripts to understand how to invoke it. 2) The Zakat feature requires an API key (optional). Prefer exporting ZAKAT_API_KEY instead of embedding it in config.json, and only supply a key if you trust https://islamicapi.com. 3) The scripts will create/modify files inside the skill folder (config.json, config.bash, cache/). If you run as a privileged user these files could be created in a system-wide path—run as an ordinary user. 4) The skill prints CRON_ADD job JSON lines but does not automatically add cron entries; do not pipe printed output to crontab without reviewing the generated jobs. 5) One endpoint (calendarByCity in lib/calendar.sh) is called over HTTP; consider patching to HTTPS to avoid MITM if you care about transport security. 6) The bash JSON fallback parsers are fragile — install jq and python3/requests to use the more robust paths. If you want extra assurance, run the tool in a sandboxed environment and review network traffic to the listed external services (api.aladhan.com, api.alquran.cloud, ilm.islamic.network, islamicapi.com) before providing any API keys.