ClawHub
Back to skill

Security audit

Real Estate Sales Leasing And Valuations

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AgentPMT real-estate lookup tool; it handles precise property and owner-related data, but that access matches its stated purpose and it does not install local code or perform hidden actions.

Install only if you are comfortable sending property addresses, coordinates, and related real-estate query details to AgentPMT for lookup. Use it for authorized property research, keep inputs to the minimum needed, and avoid logging personal property details or credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly advertises access to owner information, tax history, and property records, which can contain privacy-sensitive personal data, but it does not provide user-facing guidance on lawful use, data minimization, or consent. In this context, the danger is misuse or over-collection of personal information by downstream agents or users who may treat the capability as routine lookup without privacy safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The schema exposes support for latitude/longitude-based area searches and precise address inputs, but it provides no user-facing notice that this sensitive location data may be sent to an external AgentPMT-hosted service. In a real-estate context, exact property and location queries can reveal a user's residence, search behavior, or target properties, creating meaningful privacy and data-handling risk even if the feature is legitimate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The value and rent estimate actions accept full street addresses or exact coordinates, which are highly sensitive when tied to a user's home, rental interest, or investment targets, yet the schema does not warn that these details may be transmitted externally. Because these actions are specifically designed to process identifiable property information, the omission increases the chance that agents send sensitive data without informed user consent.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal