ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Paragon MLS Fetch Property

v1.0.0

Fetch a single property from Paragon MLS by MLS number and system ID. Use when looking up one listing's parsed details, including address, price, beds, baths...

0· 116·0 current·0 all-time
byEarl Co@earlvanze

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for earlvanze/paragon-mls-fetch-property.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Paragon MLS Fetch Property" (earlvanze/paragon-mls-fetch-property) from ClawHub.
Skill page: https://clawhub.ai/earlvanze/paragon-mls-fetch-property
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install paragon-mls-fetch-property

ClawHub CLI

Package manager switcher

npx clawhub@latest install paragon-mls-fetch-property
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to call an MCP (paragon-mls.fetch_property) but does not include the MCP code. SKILL.md hard-codes an absolute local path (/home/umbrel/.openclaw/workspace/deal-analyst/paragon-mls-mcp/dist/index.js). A registry user who does not already have that workspace will be unable to run or audit the actual code; requiring node alone is insufficient (mcporter and the MCP implementation are missing from the bundle).
!
Instruction Scope
Runtime instructions tell the agent to run an MCP at a local filesystem path and give an example using 'mcporter call'. That means the agent will execute code (node /.../dist/index.js) whose behavior is unknown to the reviewer. While the SKILL.md itself doesn't request unrelated files or credentials, executing unknown local JS may read files, call networks, or exfiltrate data — operations not visible from the skill text.
!
Install Mechanism
There is no formal install spec, but a provided scripts/build.sh runs npm install and npm run build in the same absolute workspace path. Running that script would fetch dependencies from npm and build code that is not part of the skill bundle — a non-trivial risk because the code being installed/executed is external to the registry entry and cannot be audited here.
Credentials
The skill declares no required env vars or credentials, which is proportionate to a read-only MLS lookup. However, because it delegates to external/local code, that code could request or access secrets at runtime; the skill itself does not declare or justify any credentials but cannot guarantee the MCP won't use them.
Persistence & Privilege
always is false and there is no indication the skill requests persistent system-wide privileges or modifies other skills' configs. Autonomous invocation is enabled by default but is not by itself an unexpected privilege here.
What to consider before installing
Do not install or run this skill unless you control and have inspected the referenced MCP code. The SKILL.md points to an absolute local path (/home/umbrel/.openclaw/workspace/deal-analyst/paragon-mls-mcp/dist/index.js) that is not included in the bundle; the included build.sh will run npm install in that workspace and build code you can't audit from the registry. Ask the publisher to: (1) include the MCP implementation (source) or publish it as a verifiable package, (2) remove hard-coded absolute paths, and (3) document required binaries (mcporter) and any network endpoints the MCP will call. If you must run it, inspect the referenced files first, run the build in an isolated environment, and avoid supplying secrets until you can confirm the code's behavior.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode
latestvk97f10qshxst284py0909t8mf1857jn4
116downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
Earl Co@earlvanze
latest
Download

Paragon MLS Fetch Property

Use the paragon-mls.fetch_property MCP tool to look up one property by MLS number.

Prefer this skill when the user wants one listing summarized, not a portfolio analysis.

Typical use

  • look up a single property from an MLS number
  • inspect parsed rent, tax, square footage, and bed/bath fields
  • grab map and listing links for one deal
  • sanity-check whether the parser extracted usable investment inputs

Example

mcporter call paragon-mls.fetch_property mlsNumber="201918514" systemId="globalmls"

Inputs

  • mlsNumber (required)
  • systemId (default: globalmls)
  • mlsId (optional, mainly for link generation)

Output shape

Expect parsed fields like:

  • address and formatted full address
  • current and previous price when available
  • beds, baths, square footage, year built
  • unit rents, taxes, HOA, remarks
  • Google Maps and Paragon/Zillow-style links

Notes

  • Some MLS regions expose different field labels, so missing fields do not always mean missing property data.
  • If the parsed result looks incomplete, use the raw-listings skill next.

Comments

Loading comments...