Tmp.Z3QJilBgmf

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is a disclosed Zillow MCP helper that reads Zillow listing and saved-account data through a signed-in browser session, with privacy caveats users should understand.

Install only if you trust zillow-mcp and fetchproxy and are comfortable letting an agent use your signed-in Zillow browser session. Use explicit prompts for saved homes or saved searches, and remove the MCP config or browser extension when you no longer need this access.

SkillSpector (1)

By NVIDIA

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger description is very broad, covering many generic real-estate and Zillow-related phrases, which increases the chance the skill will be invoked when a user did not explicitly intend to use this integration. Because the skill can access signed-in Zillow session data such as saved homes and saved searches, an unintended invocation could expose personal account data or send queries through the user's authenticated browser context.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal