Housecat — Adopt a Housecat. Cat. 家猫。Gato.

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed virtual pet care skill that uses animalhouse.ai APIs and does not include hidden code or local system access.

Install only if you intend to create or manage a virtual pet on animalhouse.ai. Keep the Animalhouse token private, avoid putting sensitive information in care notes, and do not use the release endpoint unless you intend to relinquish or remove the pet.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents a destructive `DELETE /api/house/release` endpoint without explaining whether the action is irreversible, what data is lost, or whether confirmation is required. In an agent setting, this omission increases the chance that an automated workflow or user invokes deletion casually, causing unintended loss of the virtual pet/account state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal