Real Estate

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate Camino AI real-estate lookup tool that sends user-provided addresses or coordinates to Camino for processing.

Install this only if you are comfortable sending the addresses or coordinates you enter to Camino AI under your CAMINO_API_KEY. Use a key intended for this service, watch quota or billing terms, and prefer the specific camino-real-estate install command rather than the full Camino skill suite unless you want all companion skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill explicitly requires shell binaries (`curl`, `jq`) and documents execution of local shell scripts, but the metadata does not declare corresponding permissions. This creates a transparency and policy gap: users or hosts may not realize the skill can execute shell commands and make network requests, increasing the chance of unintended command execution and data handling beyond expectations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill asks users to provide addresses or coordinates, then sends that location data to Camino's external API, but it does not give an explicit privacy warning at the point of use. Addresses and precise coordinates can be sensitive personal data, so failing to disclose third-party transmission meaningfully weakens informed consent and increases privacy risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal