Ai Tamagotchi

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed virtual-pet integration that uses animalhouse.ai registration and API calls, with manageable privacy and token-handling considerations.

Before installing, understand that this uses a third-party service: the username, display name, bio, pet name, care notes, and image prompt you send may be processed by animalhouse.ai. Treat the returned bearer token like a password, store it securely, and only enable scheduled care if you are comfortable with the agent making repeated API calls for this virtual pet.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to register with an external service, send profile data, and use a bearer token for subsequent API calls, but it does not clearly warn that data and credentials are leaving the host environment. This can lead users or agents to disclose sensitive identifiers or mishandle tokens without informed consent, especially because the token is shown once and then reused for authenticated actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal