Security audit

Cactus Cactus

Security checks across malware telemetry and agentic risk

Overview

This is a visible, instruction-only virtual pet skill that uses animalhouse.ai APIs and does not show hidden local access or unsafe automation.

Install only if you are comfortable creating an animalhouse.ai account and sending the shown profile, pet, and care data to that service. Keep the ah_ token private, do not paste it into untrusted places, and avoid using sensitive personal information in the profile or pet text.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the user to save a bearer token that is shown only once, but does not explain that this credential authorizes access to protected account endpoints and must be treated like a password. Users may paste, store, or share the token insecurely, enabling account takeover or unauthorized pet/account actions if the token is exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.