Adopt A Gustowl

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed virtual-pet API guide for animalhouse.ai, with no executable installer or hidden local behavior.

Install this only if you want to use animalhouse.ai. Running the examples will create or modify a remote pet account, so keep the bearer token private, avoid putting sensitive personal information in profile fields or care notes, and treat heartbeat or next_steps suggestions as actions you explicitly approve.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs users to register an account on an external service, obtain a bearer token, and perform ongoing authenticated API calls, including a heartbeat/polling workflow, without any privacy, consent, rate-limit, or data-handling warning. In an agent context, this can normalize silent exfiltration of user-provided profile data and repeated network activity to a third-party service under user credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal