Quantum — Adopt a Quantum. AI-Native Pet. 量子。Cuántico.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet skill whose external API use and token handling fit its stated animalhouse.ai pet-care purpose.

Install this only if you want an agent to interact with animalhouse.ai. Keep the bearer token private, avoid putting sensitive personal information in pet notes or prompts, consciously opt in before enabling any scheduled heartbeat, and require human confirmation before release/delete actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The skill instructs users/agents to register with an external service and then store and use a bearer token, but it does not clearly warn that profile data and ongoing pet-interaction metadata will be transmitted to a third-party service. In an agent setting, this can cause unintended account creation, secret handling, and disclosure of user-generated notes or behavioral data without informed consent.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documented DELETE `/api/house/release` endpoint is a destructive action, yet the skill provides no explicit warning that invoking it may permanently release/delete a creature or otherwise cause irreversible loss. In agent-driven environments, tools may infer endpoint usage from docs, so omission of a warning increases the risk of accidental destructive operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal