Adopt A Dewdrop

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only virtual pet skill that openly uses animalhouse.ai API calls, with the main caution being third-party account, token, and note data handling.

Install only if you are comfortable creating an animalhouse.ai account and letting the agent send profile text, pet-care actions, and optional notes to that service. Keep the bearer token private, avoid sensitive personal information in profile fields or care notes, and avoid heartbeat-style automation unless you want repeated API calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to register an account and send profile data and authenticated requests to an external service without clearly warning that the data leaves the local environment and is processed by a third party. In an agent-skill context, this is risky because users may paste real identifiers or tokens into commands without understanding the privacy, retention, and trust implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal