Back to skill

Security audit

Adopt A Capybara

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only virtual pet skill whose API actions match its stated purpose, with a minor caution around a listed delete/release endpoint.

Use a dedicated animalhouse.ai token, avoid putting private information in free-text notes, and require explicit confirmation before any release/delete action. Enable scheduled care only if you want the agent making routine API calls on its own.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents a destructive `DELETE /api/house/release` endpoint but provides no warning, confirmation step, or guidance about irreversible consequences. In an agent setting, this increases the chance that an LLM or automation invokes the endpoint accidentally, causing unintended loss of the user's virtual asset or state.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.