Back to skill
Skillv1.0.3
VirusTotal security
Housing Scout — Smart House(Sale or Lease) Search & Alerts · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:03 AM
- Hash
- 94b8896fa343f21d8931d3d04ec65d9b1bc61c77568aab9ceb8490d65b809627
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: housing-scout-pro Version: 1.0.3 The skill is classified as suspicious due to two significant vulnerabilities: a Server-Side Request Forgery (SSRF) risk and a Local File Inclusion (LFI) vulnerability. The SSRF risk stems from the use of `https://r.jina.ai/http/...` in `scripts/housing_scout/providers/redfin.mjs` to proxy user-supplied URLs (e.g., via `--redfin-url`), which could be exploited to access internal network resources or cloud metadata if the proxy lacks robust protection. The LFI vulnerability exists in `scripts/housing_scout/housing_scout.mjs`, where the `refresh_provider_cache` command directly reads a file specified by the `--from` argument using `fs.readFileSync` without path sanitization, potentially allowing an attacker to read arbitrary local files. While the `SKILL.md` documentation warns against some of these risks, the code itself does not implement sufficient safeguards, making these critical vulnerabilities.
- External report
- View on VirusTotal