Security audit

Laylatul Qadr Guide

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Ramadan worship-planning skill with minor privacy considerations but no evidence of hidden, destructive, or exfiltrating behavior.

Install only if you want personalized last-ten-nights worship planning. Share only personal details you are comfortable having in generated plans, approve calendar access only if you explicitly want it, and remember that the HTML checklist can save progress locally in the browser.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill explicitly calls for integration with the user's calendar for prayer time calculations even though the skill is primarily a spiritual guidance and planning tool. That expands data access beyond what is necessary, risks collecting sensitive scheduling information, and creates an unnecessary privacy exposure if the integration is auto-triggered or broadly enabled.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README states the skill will "automatically trigger for Ramadan-related queries," which is broader than the narrowly scoped Laylatul Qadr use case described elsewhere. Over-broad invocation can cause the agent to activate for generic religious requests, leading to unwanted collection of personal context, confusing responses, or superseding more appropriate skills. In a faith-guidance context, accidental triggering is more sensitive because users may disclose personal spiritual, family, or health details.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The manifest description defines very broad triggers such as general Ramadan preparation, schedules, routines, and personalized plans, which can cause the skill to activate in many conversations where the user did not specifically ask for this functionality. Over-broad invocation increases the chance of unnecessary collection of sensitive religious, family, health, and routine information and can route user interactions into a specialized skill without clear user intent.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The instruction to trigger for 'any Ramadan-related queries' during or preparing for the last ten nights is an ambiguous catch-all that can overreach far beyond the skill's legitimate scope. In context, this is more dangerous because the skill is designed to ask for contextual personal details like timezone, family responsibilities, health, and goals, so over-triggering can lead to unnecessary profiling and data collection.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The page silently persists worship-progress checkbox states in localStorage without informing the user. While the stored data is limited, it can still reveal personal religious activity to other people with access to the same browser profile or device, making this a minor privacy issue in the context of a spiritually focused skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal