Hauscout
v1.0.0Hauscout 부동산 데이터 수집/분석 파이프라인. HouseSigma에서 매물을 자동 수집하고 AI 분석 후 Neon PostgreSQL에 저장. '매물 수집', '부동산 데이터 수집', 'hauscout', '수집 실행', '부동산 크롤링' 요청 시 사용.
⭐ 0· 250·1 current·1 all-time
by@sonim1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The described purpose (crawl HouseSigma, analyze with an LLM, store into Neon Postgres) matches the instructions, but the skill metadata declares no required env vars/credentials while the instructions explicitly require a DATABASE_URL (via .env.local) and implicitly require API credentials for AI calls and git push credentials. The absence of those declarations is incoherent.
Instruction Scope
SKILL.md directs the agent to run commands in a user-specific absolute path (/Users/kendrick/projects/hauscout), run Playwright to visit external sites, extract DOM text, write summary files under memory/YYYY-MM-DD.md, and git commit & push. It also shows a DB-check snippet that expects .env.local. These actions read/write local files, network resources, and potentially push to remote git — broader scope than the metadata implies.
Install Mechanism
There is no install spec (instruction-only), which is low risk in itself. However the instructions assume a Node/TS environment (npx tsx), Playwright, and database/ORM packages are present. The skill will fail or behave differently unless those dependencies exist, and those dependencies could pull in binaries (Playwright browsers) when installed.
Credentials
Metadata lists no required env vars, but the SKILL.md uses process.env.DATABASE_URL (via .env.local) and references GPT-4o-mini analysis (which typically requires model/API credentials). It also triggers git push which requires git remote credentials. Requesting database and API credentials would be proportionate to the task, but they must be declared — the omission is a red flag.
Persistence & Privilege
always:false and model invocation not disabled (normal). The skill does not request permanent platform-level privileges, but it does mutate local state (writes memory/*.md, database writes, git commits/pushes). That local persistence is expected for the stated purpose but should be made explicit in metadata and user consent prompts.
What to consider before installing
Do not run this skill blindly. Before installing or executing: 1) Inspect the repository files (especially scripts/collect.ts, package.json) to see exactly which secrets and APIs it uses (DATABASE_URL, OPENAI_API_KEY or similar), what network calls it makes, and whether it actually contains Playwright/browser automation. 2) Expect to supply a DATABASE_URL and likely an OpenAI/API key and git credentials — verify those are only used for the declared purpose. 3) Because the SKILL.md uses an absolute user path, either run it from a controlled copy in an isolated environment (VM/container) or update paths to a safe workspace. 4) Review and test in a sandbox (no production DB), and confirm compliance with HouseSigma's terms of service and rate limits. 5) If you cannot inspect the underlying scripts or the author cannot justify the undeclared credentials and the use of absolute paths, avoid installing — the metadata/instructions mismatch makes the skill suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk97b6ez4b3esdcz5qp1hf2nzms829nyv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.