Security audit

student-rooms

Security checks across malware telemetry and agentic risk

Overview

This is a coherent student-housing availability skill, but users should understand where alerts are sent and what local monitoring state or jobs it may create.

Use the default stdout mode if you want results to stay local. Before enabling webhook, Telegram, OpenClaw agent mode, watch mode, or create_job_on_match, confirm the destination, expected payload, how to stop monitoring, and how to remove any saved state or scheduled job.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly supports webhook, Telegram, and OpenClaw notification backends but does not warn that user query details, accommodation preferences, booking URLs, or monitoring results may be transmitted to third-party services. In an agent setting, this can cause unintended disclosure of potentially sensitive user data to external endpoints controlled by the user, an integrator, or an attacker.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal