ClawHub

Pilot Real Estate Analyzer Setup

Security checks across malware telemetry and agentic risk

Overview

This is a coherent real-estate pipeline setup guide with disclosed local configuration and external alerting, but users should review data-sharing and downstream skill installs before using it.

Install this only if you intend to deploy a Pilot multi-agent real-estate workflow. Review the downstream pilot-* skills, choose only the role you need, confirm peer hostnames before handshakes, and verify Slack/email/webhook destinations and payload contents before sending real property, investor, tenant, or deal data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README explicitly routes deal alerts to Slack, email, and webhook destinations but does not warn users that property details, valuation outputs, ROI estimates, and investor preference data may be transmitted to third-party services. In a real-estate investment workflow, this can expose sensitive business intelligence or personal data to external platforms without informed consent, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs writing a persistent manifest under ~/.pilot/setups without warning the user that local state will be created in their home directory. This can surprise users, leave residual configuration on shared systems, and persist sensitive topology details such as hostnames, peers, and data flows beyond the current session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The notifier role is designed to send deal alerts to external Slack, email, and webhook endpoints, but the skill omits a privacy and data-sharing warning. Users may unknowingly forward property, investor, or scoring data to third-party services, creating confidentiality, compliance, and accidental data exposure risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal