Tmp.FhAd35JJEa

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, read-only homes.com lookup helper, but users should understand it relies on an external MCP package and a browser extension that uses their active homes.com browser session.

Install only if you are comfortable running the homes-mcp npm package and the fetchproxy Chrome extension. Keep it limited to homes.com lookup tasks, review the external package and extension permissions, and avoid using it with browser sessions containing sensitive account activity beyond the listing data you intend to query.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger description is broad enough to activate on many generic references to homes.com properties, prices, or photos, which can cause the skill to run in situations the user did not clearly intend. In this skill's context, that matters because activation can route requests through a signed-in browser session and invoke scraping behavior against a live site, increasing the chance of unintended data access or surprising tool use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal