Security audit

05 Mena Property Listing Generator

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a real-estate listing workflow, but it uses broad LLM environment credentials in a way that could send an API key and listing data to the wrong endpoint.

Install only if you are comfortable with listing details and agent identity being sent to an external LLM provider. Use a provider-specific key, avoid leaving unrelated OPENAI_API_KEY or LLM_API_KEY values in the environment, do not set LLM_BASE_URL to an untrusted host, and review/delete the local ~/.openclaw/mena-property-listing-generator data if it contains sensitive client or business information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Tainted flow: 'req' from os.environ.get (line 233, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: "User-Agent": USER_AGENT, } ) with urllib.request.urlopen(req, timeout=30) as r: result = json.loads(r.read()) return result["choices"][0]["message"]["content"].strip() except Exception:
Confidence: 93% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as r:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises and documents capabilities that require environment access, file writing, and likely network use, but it does not declare permissions or provide transparency about those operations. This weakens the security boundary for users and reviewers, making it harder to assess what data may be read, written, or transmitted during execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented behavior goes beyond simple listing generation and includes agent profile management, persistent storage, bulk processing, and listing retrieval/formatting workflows that imply retained state and broader data handling. When a skill's declared purpose understates its actual behavior, users cannot give informed consent and may expose more personal or business data than expected.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill processes property photos, specs, branding assets, phone numbers, and agency details, and it references an external LLM/OpenClaw setup, but it does not warn users that this data may be transmitted to external services or stored. In a real-estate context, these materials can contain sensitive business information, embedded metadata, or identifiable personal details, so omission of a privacy warning increases the risk of accidental data disclosure.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The marketing copy states that users should provide property photos and basic specs, but it does not disclose any privacy, consent, or data-handling considerations for uploaded images and listing data. In a real-estate workflow, photos can expose occupants, minors, documents, geolocation clues, security features, or other sensitive details, so omission of this warning can mislead users into sharing data without appropriate safeguards.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill transmits property metadata and agent-identifying information to an external LLM service without explicit user disclosure or consent at the point of use. In a real-estate workflow this increases privacy and compliance risk, especially where agent phone numbers, business inventory, or unpublished listing details may be sensitive.

External Transmission

Medium

Category: Data Exfiltration
Content: api_key, _ = get_llm_api_key() if not api_key: return None base_url = os.environ.get("LLM_BASE_URL", "https://api.minimax.chat/v1") try: data = json.dumps({ "model": "minimax/MiniMax-M3",
Confidence: 88% confidence
Finding: https://api.minimax.chat/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal