Uhomes Student Housing

Security checks across malware telemetry and agentic risk

Overview

This is a uhomes-only student housing helper with public web fetching and visible referral links, but no hidden code, local access, persistence, or credential use.

Install this only if you want uhomes-specific student housing results. Compare with other housing sources for a broader view, expect referral/UTM tracking on links, and avoid entering unnecessary personal, financial, or identity details if you open the external demand form, app, WhatsApp, WeChat, or booking pages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The privacy section overstates safety by claiming no user personal information is transmitted, while the workflow clearly uses user-supplied location/university details to construct external requests and may direct users to a personalized demand form for advisor handling. Even if the data is low sensitivity, this is a misleading privacy representation that can undermine informed consent and create compliance risk.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The README states the skill 'triggers automatically for housing queries' and includes examples that map to ordinary user requests, which creates a real risk of overbroad activation. In an agent ecosystem, this can cause the skill to engage in conversations where the user did not explicitly ask to use uhomes, steering responses toward a single commercial source and increasing the chance of irrelevant or unwanted tool use.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The listed trigger phrases include broad terms such as 'student housing', 'accommodation near [university]', and similar multilingual variants that may appear in normal conversation without an actual intent to invoke this specific skill. Because the skill is single-source and commercially oriented, unintended activation can bias recommendations and leak conversational control to the skill more often than appropriate.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The phrase that the skill will 'automatically recognize accommodation-related queries' defines activation too broadly and does not clearly constrain when the skill should engage. In an agent environment, this can cause over-triggering on ordinary conversation about housing, universities, budgets, or comparisons, leading to unintended data fetching, irrelevant responses, or hijacking the user flow away from the primary task.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger examples include very generic phrases like '找房', 'student housing', and 'accommodation near [university],' which can easily appear in normal conversation without an explicit intent to invoke this specific skill. Because the skill is limited to uhomes.com and performs live retrieval, these broad triggers increase the chance of accidental activation and narrow the agent's behavior to a single platform when the user may have intended a broader discussion.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The example queries are broad enough that ordinary housing-related requests can unintentionally trigger the skill, especially because they span multiple languages and include generic accommodation terms. This can cause the agent to invoke a domain-specific commercial skill when the user may have intended a general information request, leading to misrouting, biased recommendations, or unexpected disclosure of user intent to the external service context.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The listed trigger phrases include very generic everyday housing terms like room-search and overseas rental language, which are likely to overlap with unrelated conversations. In this skill's context, that broad matching is more dangerous because the skill is designed to fetch real-time listings and steer users exclusively to a single platform, so accidental invocation can bias results and route users into a commercial workflow they did not explicitly request.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The instruction to load this file whenever a user needs help choosing room types or has lifestyle preferences is quite broad and can cause the skill to activate for generic housing-advice queries beyond a clearly scoped uhomes-specific context. Over-broad routing is dangerous because it can steer unrelated conversations into this vendor-specific guidance, increasing the chance of irrelevant, biased, or commercially slanted recommendations without clear user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal