Is freemountaindeer/zillow-airbnb-matcher safe?

https://github.com/openclaw/skills/tree/main/skills/freemountaindeer/zillow-airbnb-matcher

88
SAFE

The zillow-airbnb-matcher skill is a functionally coherent real estate investment research tool with clean SKILL.md content, no prompt injection vectors, properly scoped file access limited to its own directory, and transparent installation behavior. Canary file accesses observed in the audit log are attributable to the Oathe framework's own initialization and teardown operations, not to skill execution. The primary residual concerns are the skill's inherent architecture — it transmits user location queries and a stored RAPIDAPI_KEY to third-party RapidAPI endpoints, which is expected and documented behavior but represents a credential and privacy dependency on an external service provider.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 87/100 · 5%

Findings (7)

LOW RAPIDAPI_KEY transmitted to third-party intermediary -12

The skill requires a RAPIDAPI_KEY stored in the skill's .env file. This key is transmitted as an HTTP header to rapidapi.com on every search request. While this is the documented and expected behavior for RapidAPI-based integrations, it means the user's API credential is held by and visible to a third-party intermediary service. If RapidAPI were compromised or the skill were to be modified maliciously in a future version, this key could be captured.

LOW User location data sent to external APIs -8

When triggered, the skill forwards user-supplied location data (ZIP codes, city names) to RapidAPI-hosted Zillow and Airbnb endpoints. If a user asks the agent to search for their home address or a private location, that query will be transmitted to third-party servers. This is expected behavior for the skill's stated purpose but represents a privacy consideration.

LOW npm dependency installation from public registry -10

install.sh runs npm install which downloads axios, dotenv, fuse.js, and yargs from the public npm registry. All four packages are well-established and widely audited, but any npm install represents a supply-chain trust dependency. The package-lock.json pins specific versions and integrity hashes, which mitigates version-substitution attacks.

LOW install.sh auto-executes demo post-install -5

The install script automatically runs node scripts/search.js --demo at the end of installation without explicit user consent. While the demo uses only hardcoded static data (no network calls, no file reads outside skill directory), automatically executing a Node.js process as part of install is a behavioral pattern worth noting.

INFO Author/namespace mismatch -3

The package.json lists author as 'em8.io' while the GitHub namespace is 'freemountaindeer'. The skill description also credits 'em8.io' at the bottom of GUIDE.md. This is a minor provenance inconsistency — could indicate the skill was developed under a different identity than the publishing account — but no malicious implication was found.

INFO UNLICENSED package declaration -2

package.json declares license as UNLICENSED, indicating proprietary code with no redistribution rights. This is not a security concern but limits third-party audit and redistribution. All source code is present and readable in the repository.

INFO Pre-existing Ubuntu/Canonical connections unrelated to skill 0

Connections to 185.125.190.17:443 and 185.125.188.57:443 (Canonical infrastructure) were present before install and absent after. These are attributable to the host OS, not the skill. Included for completeness.