Gpt Pet

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed virtual pet API guide, with minor privacy and irreversibility caveats but no hidden or disproportionate behavior.

Install only if you are comfortable creating an animalhouse.ai account and sending non-sensitive pet names, prompts, and care notes to that service. Treat the returned token like a password, and understand that the virtual pet is time-based and may be lost if neglected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users or agents to send profile data, pet names, notes, and other user-provided content to a third-party service without any privacy notice, consent guidance, or data-handling limitations. In an agent setting, this creates a real risk of unintentional disclosure of personal, sensitive, or system-derived data to an external operator.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The description prominently advertises 'permanent death' as a feature but does not warn users that neglect or automated misuse may irreversibly destroy the virtual asset. In an agent-integrated workflow, that omission can mislead users into enabling autonomous actions without understanding the destructive consequence.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal