IDX CMA Report
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its CMA-reporting purpose, but its generated interactive HTML can render listing text unsafely, and its optional Gemini publishing step shares property data outside the local environment.
Before installing or using this skill, update or verify the HTML generation so listing fields are safely escaped, and only publish to Gemini/Google after confirming the property and client data can be shared.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or corrupted listing field could alter the report, run script in the browser, or expose data from the generated CMA page when opened or shared.
The generated interactive page places listing data into innerHTML rather than rendering it as escaped text. If IDX or comp data contains HTML or JavaScript-like content, it could run when the local or hosted CMA page is viewed.
tr.innerHTML = `... <td>${comp.address || "N/A"}</td> ...`;Render table cells with textContent/createElement or sanitize and escape every string field before insertion; also escape JSON embedded in script blocks and consider a restrictive Content Security Policy before publishing.
Subject property details, comparable listings, valuation estimates, and possible location fields may be shared with Google and with anyone who receives the hosted link.
The workflow explicitly sends the generated CMA data to a third-party AI tool and may create a hosted/shareable version. This is purpose-aligned and user-directed, but it changes the data boundary.
Open Google AI Studio ... Paste the generated prompt and provide `cma_data.json` ... Request hosted/shareable output if available
Confirm the data may be shared, remove unnecessary private fields, and review Google/Gemini sharing settings before publishing.