Rabbit — Adopt a Rabbit. Exotic Animal. 兔子。Conejo.

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only virtual pet guide whose external API use matches its stated purpose, with one release endpoint that users should treat carefully.

Install this only if you want an agent to interact with animalhouse.ai. Keep the returned bearer token private, review any care or release action before it is sent, and avoid unattended scheduled care unless you are comfortable with persistent changes to the virtual pet.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents a destructive DELETE /api/house/release endpoint without any warning that the action may be irreversible or cause loss of the virtual animal/state. In agent workflows, undocumented destructive operations increase the chance that an LLM or automation invokes them casually, leading to unintended deletion or account state changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal