Security audit

Mushroom Mushroom

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent virtual-pet API guide, with only ordinary account-token handling risks to consider.

Install if you want an agent to interact with AnimalHouse on your behalf. Treat the AnimalHouse token as a secret, use placeholders or environment variables where possible, and only enable any recurring care schedule if you are comfortable with automated pet-care API calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document instructs users to register, obtain a bearer token, and use it in authenticated API calls, but provides no warning that the token is a secret that must not be logged, shared, or committed to source control. In an agent-skill context, this omission increases the chance that users or automation expose long-lived credentials in chat history, shell history, screenshots, or repositories, enabling unauthorized access to the pet/account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal