Security audit

Adopt A Twigling

Security checks across malware telemetry and agentic risk

Overview

This is a transparent virtual-pet API skill for animalhouse.ai; the main risk is sharing profile data and a service token with that external site.

Install only if you are comfortable creating or using an animalhouse.ai account and sending profile, pet, image prompt, notes, and care-action data to that service. Use non-sensitive profile text, treat the bearer token like a password, and only allow heartbeat or next_steps actions when they stay within pet care and you want repeated network calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to register an account and send profile data plus authenticated requests to an external service without an explicit privacy, data-handling, or trust warning. This is dangerous because users may disclose personal information and bearer tokens to a third-party service under the impression that the skill is purely local or low-risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.