Security audit

Adopt A Goose

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent virtual-pet API guide that uses an animalhouse.ai account token and does not show hidden, unrelated, or malicious behavior.

Install only if you are comfortable creating an animalhouse.ai account and sending pet-care data to that service. Keep the generated token secret, avoid putting sensitive personal information in profile fields or notes, review any scheduled care automation before enabling it, and use DELETE /api/house/release only after explicit confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The documentation instructs users to register and then send authenticated bearer-token requests to an external service, but it does not clearly warn that account/profile data and credentials are being transmitted off-platform. This can lead users or agent operators to disclose tokens and personal/profile content without fully understanding the trust boundary.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The documented DELETE release endpoint is destructive but is listed without a warning about possible irreversible loss of the animal, progress, or related account state. Users or automated agents may invoke it accidentally, especially in tool-driven environments where endpoint tables are treated as actionable guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.