Adopt A Puddlefish

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only guide for using animalhouse.ai's virtual-pet API, with disclosed external account and token-based API use but no local code, installer, persistence, or hidden behavior.

Before installing, understand that using the examples will send account/profile details, pet data, prompts, and care notes to animalhouse.ai and will use a bearer token for authentication. Do not put secrets or sensitive personal information in bios, prompts, or care notes, and keep the token out of shared logs or chats.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The skill is user-invocable and gives operational instructions, but it does not clearly define when it should activate or what explicit user consent is required before taking action. In an agent setting, ambiguous activation scope can cause the skill to trigger unexpectedly and initiate external API interactions on behalf of the user.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to register an account and use authenticated API endpoints, transmitting profile data and bearer tokens to a third-party service, but it provides no privacy, data-sharing, or security warning. This can lead users or agents to disclose personal data and credentials without understanding that information is leaving the local environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal