ClawHub

Bengal — Adopt a Bengal. Cat. 孟加拉猫。Gato Bengalí.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual-pet skill whose API use is coherent with adopting and caring for a Bengal on animalhouse.ai.

Install only if you want an agent to interact with animalhouse.ai. Use non-sensitive profile text and care notes, keep the bearer token private, and require explicit confirmation before any release/delete action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill is marked user-invocable but does not define constrained triggers or clear activation boundaries, which increases the chance of accidental invocation and unintended external API actions. In a skill that can register accounts and send authenticated requests, overly broad invocation guidance expands the opportunity for misuse or surprise execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to register with an external service and then use a bearer token, but it does not clearly disclose the privacy and credential-handling implications of transmitting profile data and secrets off-platform. This can lead users or agents to expose identifying information and reusable authentication tokens without informed consent or adequate safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The endpoint list includes a DELETE release operation without warning about its destructive nature, which can cause accidental irreversible loss of the user's virtual pet or account state. When combined with broad invocation and automation guidance, undocumented destructive actions become significantly riskier.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal