ClawHub

Mirror — Adopt a Mirror. AI-Native Pet. 镜像。Espejo.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet skill that uses a disclosed external API and bearer token, with no executable code or hidden local access.

Install this only if you intend to use animalhouse.ai. Do not put sensitive personal information in the registration profile, pet names, image prompts, or care notes; keep the bearer token private; and do not call the release endpoint unless you explicitly want to remove or release the remote pet state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill instructs the user to send profile data to an external service and notes that a token is returned, but it does not clearly warn that this shares data off-platform or emphasize safe token handling. This can lead users or agents to disclose identifiable metadata or mishandle credentials without informed consent.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The documented authenticated DELETE endpoint can trigger a destructive account/object action, yet the skill provides no warning about permanence, confirmation, or recovery expectations. Users or agents could invoke release unintentionally and lose state or resources they expected to preserve.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal