Idealista

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Idealista API helper, with disclosed credential use and no evidence of hidden or unrelated behavior.

Before installing, review the external idealista-cli repository or pin a known commit. Prefer environment variables or a secret manager for the API key and secret; if using the config file, keep it private, avoid committing it, and rotate credentials if they may have been exposed. Search locations and property criteria will be sent to Idealista as part of normal use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs users to persist OAuth client credentials locally in a config file and identifies the exact path, but provides no warning about filesystem permissions, plaintext storage, multi-user systems, or secret rotation. This increases the chance of credential disclosure through local compromise, backups, shell history, or accidental file sharing, especially because these are long-lived API secrets rather than short-lived tokens.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal