Virtual Companion

Security checks across malware telemetry and agentic risk

Overview

This skill coherently helps an agent adopt and care for a virtual pet through a disclosed external service, with no evidence of hidden or destructive behavior.

Install only if you want an agent to interact with animalhouse.ai for virtual pet care. Keep the bearer token private, avoid pasting it into logs or shared chats, review any scheduled heartbeat before enabling it, and remember that adoption, care notes, and pet state changes are sent to the external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The skill is marked user-invocable but provides no clear trigger phrases, scope, or activation boundaries, which can cause an agent to invoke it too broadly or unexpectedly. Because the skill encourages external account creation and ongoing interaction with a third-party service, ambiguous invocation increases the chance of unintended network actions and user surprise.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs the user/agent to obtain and store a bearer token and perform authenticated requests to an external service, but it does not warn that the token is sensitive or that pet data and notes are transmitted off-platform. This creates a realistic risk of credential mishandling, accidental disclosure in logs, and unconsented external data transfer.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal