Goose Goose

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet skill whose animalhouse.ai API and token use match its stated purpose.

Treat the animalhouse.ai token as a secret: do not paste a real token into shared chats, logs, screenshots, or public files. Expect the listed profile, pet, and care-note data to be sent to animalhouse.ai, and remember the service describes public graveyard-style features.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs users to obtain a bearer token and reuse it in multiple curl commands, but provides no warning about keeping the token secret, avoiding shell history leakage, or preventing accidental sharing in logs/screenshots. In an agent setting, credentials may be copied into transcripts, debugging output, or third-party tooling, which can enable account takeover for the associated animalhouse.ai account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal