ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Housing Scout — Smart House(Sale or Lease) Search & Alerts

v1.0.3

Find and monitor housing listings (buy/rent), apply practical filters, and manage subscription-style alerts in any supported region. Use when the user asks t...

0· 395·0 current·0 all-time
byJunyi Jiao@junyij
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (search, compare, alerts) align with the bundled Node.js runtime and provider adapters (Redfin, Zillow, Realtor), the query/profile/subscribe flows, and local persistence. The code implements searching, deduping, ranking, comps, and subscription management as advertised.
Instruction Scope
Runtime instructions tell the agent to run the provided node scripts under ./scripts/housing_scout/ and to store state under ./scripts/housing_scout/data/. The SKILL.md and code explicitly call out external fetches (notably Redfin endpoints routed through r.jina.ai) and that subscription destinations can deliver data outside the runtime. Those behaviors are within the stated purpose but represent explicit data egress points that users must consider.
Install Mechanism
No install spec is provided (instruction-only install), and all code is bundled with the skill. There are no downloads from arbitrary URLs or package installs declared in the skill metadata, which reduces installation risk.
Credentials
The skill does not request environment variables or credentials in metadata. Notification delivery (Telegram) is referenced but the skill states it does not store bot tokens in files and expects credentials to be configured separately in gateway or env. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill stores and reads JSON state only under its own ./scripts/housing_scout/data/ directory and snapshots under snapshots path. always is false and the skill does not modify other skills or system-wide configuration in the reviewed files.
Assessment
This skill appears to do what it says (searches providers, ranks listings, and manages local subscriptions). Before installing: 1) Be aware Redfin fetches are routed through a third‑party proxy (https://r.jina.ai/http/...) — do not supply private/internal URLs or cloud metadata endpoints because their proxy will fetch them. 2) Subscriptions/notifications can deliver listing data to external channels (e.g., Telegram). Double-check the 'to' targets and configure bot credentials securely via your gateway (do not commit tokens into skill files). 3) The skill persists profiles, queries, subscriptions, caches, and snapshots under its data directory — if you want to avoid lingering data, run it in an isolated workspace and periodically clear ./scripts/housing_scout/data/. 4) If you need to remove the third‑party proxy risk, review/replace fetchViaJina calls with a fetch mechanism you control. Finally, note that some files were truncated in the listing — if you want higher confidence, request a full file dump and/or run a local code audit before running the skill in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk970j6ram1s2b3jqngdxq8gjgx8270k6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments