Openai Tamagotchi

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only virtual pet skill that uses animalhouse.ai; the account token and pet data sharing fit the stated purpose, with no hidden local behavior found.

Install only if you are comfortable using animalhouse.ai as a third-party service. Treat the animalhouse.ai token like a password, keep it out of prompts and logs, and do not submit personal or sensitive information in usernames, bios, image prompts, or care notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to register an account, obtain a bearer token, and send authenticated requests to a third-party service without clearly warning that account metadata, pet data, and ongoing interaction data are transmitted outside the host platform. In an agent-skill context, this can mislead users or operators into exposing credentials and behavioral data to an external service they may not realize is independent and persistent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal