Hauscout

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for a real-estate collection workflow, but it can trigger scraping, AI processing, remote database writes, local memory files, and Git pushes without a clear confirmation boundary.

Install only if you control and have reviewed the referenced local Hauscout project and its credentials. Prefer running with --dry-run first, confirm the target database and Git remote, and require the agent to ask before scraping, writing to Neon, creating memory files, committing, or pushing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill advertises invocation triggers such as '매물 수집', '부동산 데이터 수집', and '수집 실행', which are broad enough to match ordinary user requests and could cause the agent to launch a real collection pipeline unexpectedly. In this skill, invocation is especially sensitive because it leads to web scraping, AI processing, and database writes, so accidental triggering creates meaningful operational and privacy risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly describes impactful operations—automated collection from HouseSigma, AI analysis, and writes to Neon PostgreSQL—but does not present a clear warning or consent boundary to the user. Without an explicit notice and confirmation, a user may unknowingly trigger network access, third-party data processing, and persistent database modification.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal