Security audit

Terminal Tamagotchi

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using an external virtual-pet API, with no hidden code or local system access.

Install only if you are comfortable using animalhouse.ai. Treat the ah_ token like a password: prefer an environment variable, do not paste it into shared prompts or logs, and rotate it if exposed. Avoid sending sensitive personal information, private prompts, or secrets in profile, pet, image-prompt, or care-note fields.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to save a bearer token and use it in curl commands, but it does not warn that tokens can be exposed through shell history, terminal logs, screenshots, CI logs, or agent telemetry. In an agent environment, this is more dangerous because tools may echo commands or persist transcripts, turning a reusable API token into an account-compromise risk.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal