Gpt Tamagotchi

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet API skill; its token use needs normal credential care, but the behavior is disclosed and purpose-aligned.

Install only if you are comfortable letting your agent call animalhouse.ai and create/manage a virtual pet account. Treat the ah_ token like a password: store it in an environment variable or secret store, keep it out of chats, logs, shell history, and source control, and rotate it if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to register with an external service, obtain a bearer token, and use it in subsequent API calls, but it provides no warning about external data sharing, token sensitivity, storage risks, or least-privilege handling. In an agent context, this can normalize sending user/agent metadata to a third party and can lead to credential leakage if the token is logged, echoed, or reused insecurely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal