ClawHub

Ramadan Times

Security checks across malware telemetry and agentic risk

Overview

This is a simple Ramadan time helper with no malware-like behavior, but its documentation promises more accuracy, language support, and location support than the script actually provides.

Install only as a casual helper. Verify fasting and prayer times with a trusted local mosque or official calendar, because the implementation is approximate and much narrower than advertised. Be aware that the selected or default city coordinates are sent to sunrise-sunset.org, and jq may be needed for the API-backed result to work correctly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while indicating shell-capable dependencies such as curl and date, which creates a transparency and governance problem. Even if the intended use is benign, undeclared execution and network capability can enable unexpected outbound requests or shell-based behavior without clear user or platform consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill materially overclaims its behavior: it advertises automatic location detection, broad multilingual and city support, and accurate Ramadan/prayer times, while the analyzed behavior relies on approximations and limited support. This is dangerous because users may trust inaccurate religious timing information or unknowingly trigger external API usage under false assumptions about how data is handled.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad triggers like 'ramadan' or 'prayer times' can cause accidental activation during ordinary conversation, which may invoke the skill unexpectedly. In a skill that may auto-detect location or call external services, unintended invocation increases privacy and consent risk even if the underlying function is not overtly malicious.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description omits a user-facing warning that location may be auto-detected and that external APIs may be contacted. That lack of notice undermines informed consent and can expose user location or timezone-derived data to third parties without the user's clear understanding.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The script sends location-derived data to an external third-party service without notifying the user or obtaining consent. Even though the transmitted data is only coordinates from a hardcoded city mapping, it still creates an undisclosed external data flow and privacy risk in a skill context where users may not expect network transmission.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal