ClawHub

Homestruk Tenant Screening

Security checks across malware telemetry and agentic risk

Overview

This skill gives visible tenant-screening guidance and draft-letter templates, but users should handle applicant data and saved rejection drafts carefully.

Install only if you are comfortable using an AI assistant for legally sensitive tenant-screening work. Confirm before saving any applicant data to disk, protect files containing SSNs, credit/background details, or adverse-action reasons, delete records when no longer needed, and have a qualified human verify current Massachusetts, Fair Housing, and FCRA requirements before sending final decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The skill explicitly directs the agent to save a rejection letter containing applicant-identifying and screening-decision data to a fixed local workspace path. Even though drafting letters is within the skill's business purpose, persisting potentially sensitive tenant data to disk without explicit user consent, data-minimization guidance, or retention controls creates unnecessary privacy and data-handling risk.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation phrases are broad and conversational, so the skill could activate during ordinary discussions about rentals rather than when the user intentionally wants a formal screening workflow. In this context, unintended activation is more concerning because the skill handles legally sensitive housing decisions and may prompt collection or generation of adverse-action materials affecting applicants.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill tells the agent to save rejection letters to a local file path without warning the user that applicant names, addresses, and decision reasons may be written to disk. Because tenant-screening artifacts can contain sensitive personal and credit-related information, silent persistence increases the risk of unauthorized access, over-retention, and privacy-law or policy violations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal