Housing Scout — Smart House(Sale or Lease) Search & Alerts
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears aligned with housing search and alerts, with disclosed considerations around running bundled Node commands, external listing/notification data sharing, and local saved state.
Before installing, be comfortable running the bundled Node scripts. Use only public real-estate URLs, carefully verify notification recipients, keep Telegram or gateway credentials outside the skill files, and periodically prune saved profiles, subscriptions, snapshots, and caches.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may execute the bundled local CLI to read/write its state files and perform listing searches.
The skill is designed to run bundled Node commands through exec. This is code execution, but it is disclosed and central to the housing search/profile/alert workflow.
command-dispatch: tool command-tool: exec ... `node ./scripts/housing_scout/housing_scout.mjs search --intent buy ...`
Use it only for intended housing tasks, review command arguments before running high-impact actions like cache refresh or subscription changes, and ensure you trust the bundled scripts.
The skill may fail or behave unexpectedly if Node is unavailable, and users must rely on the bundled code rather than an install-managed dependency set.
The registry metadata does not declare a Node runtime even though SKILL.md documents Node-based commands. This is an under-declared runtime dependency, not evidence of malicious behavior.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Confirm Node is available and review the bundled scripts before first use; the publisher should declare the runtime requirement in metadata.
Public listing URLs and fetched page content may be visible to the third-party proxy service.
Real-estate URL fetches may be routed through an external proxy. The behavior is disclosed and purpose-aligned, but it sends requested URL information outside the local runtime.
Redfin fetch path uses `https://r.jina.ai/http/...` in this runtime. This is a third-party fetch proxy.
Only use public real-estate URLs you are comfortable sharing, and do not provide localhost, intranet, cloud metadata, or other private URLs.
If the destination is wrong, housing alerts or listing details could be sent to an unintended recipient.
Alert delivery can transmit listing notification data to an external channel such as Telegram. This matches the alert feature and is explicitly disclosed.
Subscriptions/notifications can send data outside the runtime (`channel` + `to`). Verify recipients before enabling.
Verify chat IDs and channels before subscribing, keep messaging credentials outside skill files, and unsubscribe when alerts are no longer needed.
Saved housing preferences and notification targets may remain on disk and influence later searches or subscription runs.
The skill persists housing preferences, saved queries, alert destinations, and listing snapshots locally for future use. This is expected for profiles and alerts but should be noticed.
The skill writes state under `./scripts/housing_scout/data/` (profiles, queries, subscriptions, snapshots, caches).
Periodically review and delete unused profiles, subscriptions, snapshots, and caches; do not point cache-refresh commands at unrelated sensitive files.