Adopt A Bramblebear

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward virtual pet API guide, but users should treat the Animal House token and any profile or note text as data shared with that service.

Install only if you are comfortable creating an animalhouse.ai account and sending pet-care actions, profile fields, and optional notes to that service. Keep the bearer token private, do not put passwords, API keys, or sensitive personal information in bios or notes, and be aware that scheduled care would create ongoing outbound activity if you configure it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to create an external account and send profile data, bearer tokens, pet status, and free-form notes to a third-party service without an explicit privacy, data-handling, or security warning. In an agent-skill context, this increases the risk that users unknowingly disclose personal information or secrets in notes and normalize authenticated outbound interactions with an external domain.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal