critical
suspicious.dangerous_exec
- Location
- engine.js:121
- Finding
- Shell command execution detected (child_process).
Prayer Times Id
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Running the skill normally will add reminder jobs to OpenClaw; running with --dry-run will only simulate the output.
Why it was flagged
The skill invokes the OpenClaw CLI to add cron system events. This matches the stated purpose and avoids shell string interpolation, but it is still local command execution that can modify the user's OpenClaw schedule.
Skill content
return execFileSync('openclaw', args, { ... }); ... 'cron', 'add', '--name', name, '--at', whenIso, '--system-event', message, '--delete-after-run', '--json'Recommendation
Use --dry-run first, then run normally only if you want OpenClaw cron reminders added for the remaining prayer times today.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
The external prayer-time provider will receive the configured coordinates and calculation method.
Why it was flagged
The configured latitude and longitude are sent to the external AlAdhan API to calculate prayer times. This is disclosed and purpose-aligned, but location data can be sensitive.
Skill content
const timingsUrl = `https://api.aladhan.com/v1/timings?${queryParams.join('&')}`; ... `latitude=${encodeURIComponent(latitude)}` ... `longitude=${encodeURIComponent(longitude)}`Recommendation
Only configure a location you are comfortable sharing with AlAdhan, and review the API dependency if you need stricter privacy.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
Reminder events may appear later even after the script has exited, until each one-shot job runs and deletes itself.
Why it was flagged
The skill creates scheduled system-event jobs that persist until they fire, but it uses delete-after-run and only schedules the prayer times that have not yet passed for the current day.
Skill content
'--at', whenIso, '--system-event', message, '--delete-after-run'
Recommendation
Review your OpenClaw cron list if you want to confirm or remove scheduled reminders.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
The skill may fail or behave differently if Node.js or the expected OpenClaw CLI is not installed or not the trusted binary in PATH.
Why it was flagged
The skill documents runtime prerequisites, while the provided registry requirements say no required binaries and there is no install spec. This is an installation/declaration gap rather than hidden behavior.
Skill content
- Node.js 18+ (disarankan 20+)\n- OpenClaw CLI tersedia di PATH (`openclaw`)
Recommendation
Ensure Node.js and the official OpenClaw CLI are installed before running the skill.