Pipeworx attom

Security checks across malware telemetry and agentic risk

Overview

This is a simple real-estate data connector, but users should know their property or location searches go to an external MCP service.

Install only if you are comfortable sending property addresses, ZIP codes, coordinates, and related real-estate queries to the Pipeworx/ATTOM MCP gateway. Avoid submitting sensitive personal context unless you trust that provider's data handling practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill exposes property, school, and location-based lookup capabilities backed by a remote MCP endpoint, but the description does not warn users that addresses, ZIP codes, or latitude/longitude queries are transmitted to an external ATTOM service. This creates a real privacy and data-handling risk because users may submit sensitive location information without informed consent, especially in contexts involving homes, rentals, or schools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal