Calico — Adopt a Calico. Cat. 三花猫。Gato Calicó.

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only virtual pet skill that uses Animalhouse API calls, with normal token handling and a visible release endpoint users should confirm before using.

Install only if you are comfortable creating or using an animalhouse.ai account, storing a bearer token securely, and sending care actions and notes to that service. Review any automated care setup and require explicit confirmation before using DELETE /api/house/release.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents a destructive `DELETE /api/house/release` endpoint without any warning, confirmation flow, or guidance to verify user intent before invocation. In an agent context, this raises the risk of accidental or prompt-induced destructive actions that could irreversibly delete or release a user's virtual asset.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal