Munchkin — Adopt a Munchkin. Cat. 曼基康猫。Gato Munchkin.

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed virtual-pet API skill; the release action is real but scoped to the pet service and not hidden or automatic.

Safe to install if you are comfortable using animalhouse.ai. Store the returned token carefully, review any automated heartbeat schedule before enabling it, and require explicit confirmation before releasing a creature or following any payment/credit-related next step from the service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a destructive `DELETE /api/house/release` endpoint without explaining whether release is irreversible, what data is lost, or that user confirmation should be required before invoking it. In an agent setting, omission of such safeguards can cause unintended permanent deletion of a virtual pet or account state through automation or prompt misunderstanding.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal