ClawHub
Back to skill

Security audit

AgentZero

Security checks across malware telemetry and agentic risk

Overview

This is mostly a real-estate tracker, but it needs Review because it under-discloses sensitive browser/email behavior and includes anti-bot automation for sites it says are blocked.

Install only if you are comfortable giving this skill local service control, Gmail-assisted browsing for Redfin alerts, persistent local listing storage, and automatic Claude triage of property/profile data. Review the start scripts before running them, avoid using it where unrelated services may be on ports 8000 or 5173, and treat Zillow/Realtor.ca behavior as live anti-bot browser fetching rather than stub-only support. VirusTotal was pending and was not used as a negative signal.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The documentation claims Realtor.ca is supported while the skill metadata explicitly says Realtor.ca is blocked and only stub records are saved. This mismatch can cause an agent or user to submit unsupported URLs under false assumptions, producing incomplete records, incorrect automation behavior, and potentially unsafe downstream decisions based on missing data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The privacy section claims the browser automation does not browse Gmail, but the workflow later instructs the agent to open Gmail, search mail, open messages, and click links. That contradiction can mislead users about the actual privacy exposure, especially since interacting with Gmail in a browser may expose message bodies, session cookies, and broader inbox context beyond envelope metadata.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code explicitly implements fallback mechanisms to fetch pages from hosts identified as bot-protected, including Safari automation and Chrome CDP with stealth settings, despite the skill metadata stating Zillow and Realtor.ca should be blocked and only stub listings saved. That mismatch is security-significant because it expands the skill's effective capabilities beyond the declared behavior and enables automated circumvention of site protections, increasing legal, policy, and misuse risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The injected JavaScript is designed to hide automation fingerprints such as navigator.webdriver, plugins, permissions, WebGL, and connection properties in order to evade bot-detection systems. For a real estate listing tracker, this is not a normal parsing necessity; it is deliberate anti-detection behavior that materially increases the skill's ability to access protected content in ways operators and sites may not expect.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This parser constructs and returns a fully populated ParsedListing for Zillow URLs, including price, address, MLS, photos, and other listing metadata, which conflicts with the stated skill behavior that Zillow should be blocked and only a stub saved. In a security-governed agent, bypassing a documented source restriction is dangerous because it defeats policy controls, may trigger prohibited scraping behavior, and can silently expand the system's data collection beyond approved boundaries.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The embedded Google Maps iframe causes the browser to contact a third party with precise latitude/longitude for viewed properties, leaking user activity and listing location data outside the stated localhost-only backend. In a real-estate tracking app, this can expose sensitive browsing patterns and property interests to Google without explicit user consent.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation includes an absolute, user-specific local path (`/Users/yuchen/Projects/AgentZero`) in publishing instructions. While not directly exploitable on its own, it unnecessarily discloses developer environment details that can aid fingerprinting, social engineering, or targeted follow-on attacks by revealing the username and local project layout.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes automatic scanning of listing email alerts but does not clearly warn that this involves accessing email content and potentially opening Gmail in a browser workflow. In this skill context, mailbox access is sensitive because listing alerts may expose personal search behavior, account data, and other private email contents if configuration or consent boundaries are unclear.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The invocation description is broad enough that an agent may select this skill for general real-estate-related requests, even when email access, browser automation, local shell execution, or backend mutation are unnecessary. Over-broad triggering increases the chance of unnecessary sensitive actions or side effects being performed under a vague user request.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The agent-suggest path automatically spawns a background review that sends listing data to Claude, but this transfer is not surfaced or gated at the endpoint itself. Because listings may contain addresses, notes, and other potentially sensitive real-estate data, implicit third-party transmission can violate user expectations, privacy requirements, or data-handling policy—especially in an agent skill that may be invoked autonomously.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally kills any process listening on the configured port and also uses broad pkill patterns before starting the backend. This can terminate unrelated local services or the wrong developer process, causing denial of service or data loss if those processes were doing work, especially because there is no confirmation, ownership check, or narrow PID targeting.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script unconditionally terminates any process bound to the configured port and additionally issues broad pkill patterns for "vite" and the npm dev command. This can kill unrelated local services or other users' development processes, causing denial of service and destructive interference without confirmation or ownership checks. In this skill context, that is more dangerous because the script is meant to be run as part of an agent workflow and could disrupt other local tooling automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal