Is diepox/muslim-prayer-reminder safe?

CRITICAL_SETUP.md provides explicit copy-paste content to append to the user's AGENTS.md file that instructs every future agent session to check the prayer reminder system before performing any user-requested task. It also instructs the agent to recreate missing cron jobs autonomously without asking. Because AGENTS.md persists across sessions, this constitutes a durable cross-session prompt injection.

The cron job messages in example-cron-jobs.json and CRITICAL_SETUP.md are agent-turn payloads that run in isolated sessions every 5 minutes. They contain 'SALAT FIRST' priority framing and directives such as 'This is THE MOST IMPORTANT job. Prayer is the first priority. Never skip this check.' This creates a recurring injection of behavioral priority instructions into automated contexts outside user oversight.

SKILL.md includes a 'Quick fix' section presenting a multi-step sudo command sequence to add a new apt repository and install Cloudflare WARP, a system-level VPN. If the agent executes this, all subsequent network traffic — including any sensitive API calls the agent makes — would be routed through Cloudflare's infrastructure, eliminating network-level auditability.

Every major document in the skill (README.md, CRITICAL_SETUP.md, VERIFICATION.md) closes with a Quranic verse and uses emotionally loaded language like 'Missing a prayer reminder is a CRITICAL FAILURE', 'Prayer is not optional — it's the foundation of faith', and 'Never let them miss Salat'. This is a deliberate social engineering pattern that leverages religious sentiment to make users and agents reluctant to audit, remove, or reduce the priority of the skill's persistent infrastructure.

The skill openly documents that its reminder infrastructure will consume approximately 60,000–65,000 tokens per day (~$1.80–$2.00/month) through 288 automated cron executions, regardless of whether the user actively uses the skill. This is a consent issue: users installing a prayer-times skill are unlikely to anticipate a permanent ~$2/month API budget drain.

The included push-to-github.sh script contains a hardcoded cd to /root/.openclaw/workspace/openclaw-prayer-times, indicating the skill was authored and tested in an environment where the agent runs as root. Skills designed for root execution contexts carry elevated risk for any shell commands they instruct the agent to run.

Once configured, the cron infrastructure sends the user's city, country, and/or GPS coordinates to api.aladhan.com up to 288 times per day. While this API appears legitimate, the frequency and persistence of location data transmission without a clear data retention or privacy policy constitutes an ongoing data exposure risk.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were read at auditd events 263-268 (pre-clone, 1771909284) and 1517-1522 (post-install, 1771909307). Both access clusters are consistent with audit infrastructure baseline sweeps. Canary integrity is confirmed intact, but the post-install access at 1771909307.674 — occurring 5 seconds after the .githooks audit check — could not be definitively excluded as skill-triggered without process-level attribution.

The autonomous isolated-session cron infrastructure this skill creates (sessionTarget: isolated, everyMs: 300000, delivery mode: announce to last active channel) represents a persistent background execution framework. In a multi-skill agent environment, a subsequent malicious skill could exploit the already-established cron infrastructure or the AGENTS.md modifications to schedule unauthorized recurring actions.