sg-property-scraper

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Singapore property-listing scraper with optional Google commute calculations, and the flagged behaviors are purpose-aligned rather than hidden or deceptive.

Install dependencies in a virtual environment, use a restricted Google Maps API key with quotas if enabling commute calculations, and avoid using sensitive home or workplace addresses unless you are comfortable sending them to Google for routing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: When commute calculation is enabled, the script sends scraped property addresses and the user-provided destination to Google Routes API. This creates a third-party data disclosure path without an explicit user-facing consent prompt or clear disclosure at the point of use, which is a privacy/security concern in an agent skill context where users may not expect external sharing.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal