Leviathan — Adopt a Leviathan. Exotic Animal. 利维坦。Leviatán.

Security checks across malware telemetry and agentic risk

Overview

This is a transparent instruction-only virtual-pet skill that uses a disclosed external API and bearer token, with one caution around an under-explained release endpoint.

Install only if you want an agent to interact with animalhouse.ai. Keep the bearer token private, avoid sensitive personal information in profile fields, pet names, image prompts, or care notes, and require explicit user confirmation before using the release endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents a DELETE `/api/house/release` endpoint but provides no warning that it is destructive, whether the action is reversible, or whether confirmation is required. In an agent context, this increases the chance of accidental destructive actions through automation, misinterpretation of `next_steps`, or unsafe tool use, potentially causing irreversible loss of a user's virtual asset/state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal