Back to skill

Security audit

Rental Helper

Security checks across malware telemetry and agentic risk

Overview

This rental helper is mostly purpose-aligned, but some data-fetching features can present sample listings as real and several workflows save sensitive rental details with limited disclosure or confirmation.

Review before installing. Use manual listing, budgeting, comparison, and recommendation features with care, but do not rely on bundled fetch_real_listings.py or fetch_api.py output as verified live listings. Avoid logged-in scraping unless you accept the site/account risk, and be careful storing phone numbers, exact addresses, screenshots, commute details, and viewing notes in the local rental-data folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly describes capabilities that read and write local files and access third-party websites, yet no explicit permissions are declared. This creates a transparency and policy-enforcement gap: users and the hosting platform may not have adequate notice or controls over filesystem and network access before the skill processes files, URLs, or scraped content.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module and function documentation repeatedly claim to retrieve 'real' listings from third-party APIs, but the implementation only returns hard-coded sample data for a specific city/area. In a rental-assistant skill, this is dangerous because users may rely on fabricated inventory, pricing, contact numbers, and source links as if they were current external data, which can mislead decisions and poison any saved dataset.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file-level documentation claims to fetch 'real listing data' from multiple channels, but the implementation only returns hardcoded sample entries. In a rental-assistant skill, this is dangerous because users may rely on fabricated listings, prices, contacts, and URLs as if they were current market data, leading to misinformation and potentially unsafe real-world decisions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CLI presents itself as a tool to 'fetch real listing data', but no network calls, parsing, or external data retrieval occur. This mismatch can mislead operators into treating generated output and saved records as authentic, which is especially risky in a housing workflow where users may make financial or logistical decisions from the results.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Within the broader skill context, the script materially underdelivers on claimed capabilities such as web parsing, image extraction, scraping, bulk import, and intelligent recommendation, while still producing and optionally persisting listing data. This creates a deceptive trust boundary: users may believe results were derived from real inputs or analysis when they are merely preseeded records, amplifying the risk of bad rental decisions and contaminated stored data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill stores persistent rental and viewing data locally, including contact details and potentially sensitive notes, without any visible privacy notice, retention policy, or user-consent language. This increases the risk of unintended exposure of personal data on shared systems, backups, or through other local processes that can read the workspace.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill encourages URL parsing and third-party website scraping without warning users about network transmission, scraping implications, or third-party site privacy and terms-of-service constraints. Users may unknowingly send private URLs or trigger collection from sites that prohibit automated access, creating privacy, compliance, and account-risk issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists scraped listing data into a local JSON file under ~/.openclaw/workspace/rental-data/listings.json when --save is used, but it does not clearly warn the user at save time about what data will be stored, where it will be stored, or for how long. In this skill context, scraped entries can include URLs and potentially user-curated housing data, so silent or poorly disclosed persistence creates a privacy and data-handling risk even though it is local rather than remote exfiltration.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script extracts a phone number from OCR text and persists it to a local JSON file without any explicit consent, warning, or data-minimization control. Because this skill is designed to process real rental listings and images, it is likely to capture real personal contact information, creating privacy risk and potential noncompliance if users unknowingly store sensitive data.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script accepts an arbitrary user-supplied URL, performs a network request, and stores extracted content locally with no allowlist, scheme restriction, or warning about the side effects. In an agent/skill context this can enable SSRF-style access to internal resources or unintended retrieval of local/network endpoints if an attacker can influence the URL input, and it also creates persistent storage of untrusted remote content.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.