Back to skill

Security audit

Real Estate Lead Qualifier

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for real-estate lead handling, but it would automate customer replies, calendar bookings, and pre-approval document handling without enough clear controls.

Install only after confirming exactly which lead sources, calendars, phone numbers, and document stores the skill can access. Use limited-permission accounts, start with human approval for replies and bookings, verify the ThumbGate setup before relying on legal-safety claims, and define how pre-approval PDFs are stored and deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises direct scheduling of viewings from inbound Zillow/Realtor.com leads but does not clearly warn operators about the risks of automatic calendar actions on potentially unverified lead data. This can cause unauthorized or low-quality bookings, calendar spam, and operational disruption, especially because the agent is designed to act automatically and at all hours.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.