Gustowl

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet skill that openly uses animalhouse.ai and does not install code or request local system access.

Before installing, understand that using the examples creates or uses an animalhouse.ai account and sends the entered profile, image prompt, and care notes to that third-party service. Treat the returned ah_ token like a password, avoid pasting real tokens into shared logs or screenshots, and do not enter sensitive personal information in the example fields.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to register for an external service and use a bearer token, but provides no guidance on secure token storage, redaction, scope, or privacy implications. Users may paste real tokens into terminals, logs, screenshots, shell history, or untrusted environments, leading to account compromise or unintended disclosure of personal data sent to the third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal