Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Homestruk Rent Comps
v1.0.0Analyze rental comps and recommend rent pricing for Massachusetts properties. Use when user asks about rent pricing, market rent, comparable properties, rent...
⭐ 0· 67·1 current·1 all-time
byAdams Jean Baptiste@adamsjb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (rent comps for MA properties) matches the actions (web searches and comp adjustments). However the SKILL.md instructs the agent to read ~/.openclaw/shared/properties.json and save reports under ~/.openclaw/workspace — these config/file path accesses are not declared in the skill metadata (requires.config paths is empty), an incoherence between claimed requirements and actual instructions.
Instruction Scope
Runtime instructions tell the agent to 'ask for or look up' a local file (~/.openclaw/shared/properties.json), run multiple web_search queries, and write reports to ~/.openclaw/workspace. The 'ask for or look up' wording grants broad discretion to access local files and possibly sensitive tenant/property data. The skill also instructs scraping/listing extraction from Zillow/Apartments/Craigslist but does not limit or document what data may be collected or how often (rate limits/TOU).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That is the lower-risk model for installation.
Credentials
No environment variables or credentials are requested in the metadata, but the instructions require reading and writing specific user-home paths. Accessing ~/.openclaw/shared/properties.json could expose tenant names, contact info, or other sensitive data; this filesystem access should have been declared in requires.config paths or explained in the description.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It does persist generated reports under ~/.openclaw/workspace, which is a normal behavior for a tool, but this write access is not declared in the metadata.
What to consider before installing
Before installing or allowing this skill to run, confirm these points with the publisher or inspect the SKILL.md carefully: (1) the skill will look for and may read ~/.openclaw/shared/properties.json — check that file for any sensitive tenant or credential data and remove or sanitize it if needed; (2) the skill will write reports to ~/.openclaw/workspace — ensure you are comfortable with those files being created and where they will be stored and backed up; (3) the skill performs web searches/scraping of Zillow/Apartments/Craigslist — verify this behavior is acceptable under those sites' terms of service and that scraping frequency is limited; (4) there is no homepage or publisher contact in the metadata — consider requesting provenance/author verification (homes truk.com references in the SKILL.md should be validated) before giving the agent access to local property files; (5) if you store personally identifiable tenant information in properties.json, either redact it or do not allow the skill to read that file. If the publisher can confirm and update the skill metadata to declare the config paths it uses (and explicitly state what local data is read and written), that would resolve the main coherence concerns.Like a lobster shell, security has layers — review code before you run it.
latestvk97674pxcb4tkfx7w37mjz2des83dc8b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.