Back to skill
Skillv1.0.2
ClawScan security
Prayer Times Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 31, 2026, 5:57 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly matches its stated purpose (fetching prayer times, todos, journal) but has a few implementation/documentation mismatches and a hardcoded data path that don't add up and deserve clarification before installing.
- Guidance
- This skill appears to be what it says (fetches prayer times, saves todos and journal locally), but there are a few inconsistencies you should resolve before installing: 1) The script hardcodes DATA_DIR to /root/.openclaw/workspace/memory while the docs say memory/*. Confirm the correct runtime memory path and whether the skill will write files in a container root directory. 2) The README/HELP text says reminders deliver notifications via Telegram, but the script does not set up cron jobs or call Telegram and does not request any Telegram token — ask the author how Telegram is supposed to work and where credentials would be stored. 3) If you need stricter isolation, request that the author use the platform-provided memory path (or an environment variable) instead of an absolute /root path. If you cannot get clarification, review and run the script in a safe, isolated environment (no sensitive host mounts) before enabling reminders or allowing autonomous invocation.
Review Dimensions
- Purpose & Capability
- noteName/description (prayer times, reminders, todo, journal) align with the code and SKILL.md: the script calls aladhan.com, stores todos/journal, and offers reminders. However, the SKILL.md promises 'notifications via Telegram' while the code never configures or calls Telegram nor asks for any Telegram credential — this is an unsupported feature claim. Also SKILL.md references memory/ files but the script hardcodes DATA_DIR to /root/.openclaw/workspace/memory (mismatch of described vs actual storage location).
- Instruction Scope
- noteRuntime instructions and README describe only internet calls to aladhan and local file storage. The script follows that scope (curl, jq, file writes). Incoherences: reminders text promises Telegram delivery and scheduled notifications, but the script only writes a reminder.json and does not create cron entries or send messages. The script references /root path for storage rather than the relative memory paths described in docs.
- Install Mechanism
- okNo install spec; skill is instruction-only with a Bash script. No external downloads, package installs, or archive extraction are performed by the skill package itself — low install risk. Dependencies are only curl and jq which are reasonable for a Bash script parsing JSON.
- Credentials
- concernThe skill requests no environment variables or credentials, which is appropriate. Concern: the script hardcodes DATA_DIR=/root/.openclaw/workspace/memory (writing under /root) instead of using the memory/ paths claimed in SKILL.md; depending on host configuration this could give the skill write access in an unexpected location. Also the documentation references Telegram notifications but no credentials or config variables are declared — either Telegram functionality is missing or required secrets are undisclosed.
- Persistence & Privilege
- notealways is false and the skill does not request elevated privileges. It persists user data to local files (prayer-times.json, todos.md, journal.md) which is expected. There is no evidence it modifies other skills or agent configuration. The only persistence concern is the hardcoded absolute path which may place files under a root-owned workspace rather than a scoped skill directory.