ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Paragon MLS Fetch Listings

v1.0.0

Fetch all active property listings from a Paragon MLS shared listing GUID. Use when resolving a Paragon link or GUID into the parsed property records behind it.

0· 121·0 current·0 all-time
byEarl Co@earlvanze

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for earlvanze/paragon-mls-fetch-listings.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Paragon MLS Fetch Listings" (earlvanze/paragon-mls-fetch-listings) from ClawHub.
Skill page: https://clawhub.ai/earlvanze/paragon-mls-fetch-listings
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install paragon-mls-fetch-listings

ClawHub CLI

Package manager switcher

npx clawhub@latest install paragon-mls-fetch-listings
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose (resolve Paragon share GUIDs to listings) justifies requiring Node and network access to MLS CollabLink endpoints. However, the SKILL.md's MCP invocation points to an absolute path under /home/umbrel/.openclaw/workspace/deal-analyst/paragon-mls-mcp/dist/index.js — a developer-local path that is not provided by the package. That path dependency is disproportionate and inconsistent with the skill's registry metadata (no install, no packaged dist).
!
Instruction Scope
Instructions direct the agent to invoke an MCP tool at a hard-coded local filesystem location. They do not document where that code comes from, what network endpoints it will contact beyond generic 'CollabLink endpoints', or whether any secrets are required. The example shows an mcporter call which is reasonable, but the agent would attempt to execute a file that is not included in the skill bundle — scope/operational mismatch.
Install Mechanism
There is no formal install spec (lowest execution risk), but a scripts/build.sh is included that cd's into the same developer-local workspace and runs npm install && npm run build. Because the SKILL.md expects a dist/index.js at that path but the skill doesn't ship it, this implies either the skill was authored against a developer workstation or expects local developer artifacts — a packaging/installation omission that could lead to confusion or accidental execution of arbitrary npm installs if a user runs the script.
Credentials
The skill declares no required environment variables or credentials, which matches the absence of secret handling in SKILL.md. However, the runtime code (not provided) may require MLS-specific auth or other secrets; the skill does not declare or justify any such variables. The lack of declared credentials combined with an external code path is an inconsistency to clarify.
Persistence & Privilege
The skill does not request persistent/always presence and does not modify other skills' configuration. It is user-invocable and allows autonomous invocation (platform default), which by itself is expected and not flagged.
What to consider before installing
Do not run this skill as-is. The SKILL.md references a node program at an absolute developer path (/home/umbrel/.../dist/index.js) that is not included in the package; that makes the skill incoherent and could lead you to execute unreviewed build steps. Before installing, ask the publisher for: (1) the source repository or packaged release (e.g., GitHub or npm) that contains dist/index.js, (2) a corrected MCP command that does not point to a developer-local absolute path, (3) a clear list of network endpoints contacted and any environment variables or credentials required, and (4) a signed/reproducible install spec (or a vetted release URL). If you must test, inspect the actual index.js source code first and never run build.sh or npm install coming from an untrusted source. If the author cannot provide an independent public repo or packaged artifact, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode
latestvk972bzq1kdrbdpwn1nc0bsfks1857jnw
121downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
Earl Co@earlvanze
latest
Download

Paragon MLS Fetch Listings

Use the paragon-mls.fetch_listings MCP tool to resolve a shared Paragon MLS GUID into all parsed active listings behind it.

Prefer this skill when the input is a Paragon share link, GUID, or collaboration page rather than a single MLS number.

Typical use

  • unpack a Paragon shared link into the individual properties it contains
  • review all active listings attached to a GUID
  • turn one collaboration link into structured property records for downstream analysis

Example

mcporter call paragon-mls.fetch_listings mlsId="6d70b762-36a4-4ac0-bedd-d0dae2920867" systemId="globalmls"

Inputs

  • mlsId (required)
  • systemId (default: globalmls)

Output shape

Returns a JSON object with:

  • count
  • properties[]

Each property is already parser-normalized, so this is the best entry point before running deeper analysis.

Notes

  • This depends on the MLS region's public CollabLink endpoints.
  • If a GUID resolves but parsing is weak, inspect the source data with the raw-listings skill.

Comments

Loading comments...