Zillow × Airbnb Matcher

Name/description (match Zillow and Airbnb listings) align with what the code does: fetches Zillow and Airbnb data via RapidAPI and performs geo- and address-matching. Required binary (node) and the RAPIDAPI_KEY declared in SKILL.md are appropriate for this purpose.

Runtime instructions and scripts are scoped to the skill directory: the install script runs npm install, writes/updates a .env in the skill folder, and the JS code loads .env only from that folder. The commands perform network requests only to RapidAPI-hosted Airbnb and Zillow endpoints (airbnb13.p.rapidapi.com and the Zillow RapidAPI provider). The instructions don't ask the agent to read unrelated system files or other credentials.

No remote binary download; install runs the included scripts/install.sh which executes npm install (pulls packages from the public npm registry). This is a common and expected pattern but does carry the normal npm risk surface (third-party dependencies in package-lock.json). There are no obscure external download URLs or extract-from-arbitrary-URL steps.

The skill requires one API key (RAPIDAPI_KEY) in SKILL.md/.env which is proportionate to the stated functionality. However, registry metadata at the top of the report lists 'Required env vars: none' while SKILL.md and scripts clearly require RAPIDAPI_KEY — this metadata mismatch is an inconsistency to be aware of. No other secrets or unrelated credentials are requested.

The skill does not request always:true and does not modify system-wide settings; it stores configuration (RAPIDAPI_KEY) in a .env file inside the skill folder (expected). It can be invoked autonomously by the agent (platform default) but that is normal and not excessive here.