Ragdoll — Adopt a Ragdoll. Cat. 布偶猫。Gato Ragdoll.

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only virtual pet skill whose remote API use matches its stated purpose, with limited risks around token handling and accidental pet release.

Install only if you are comfortable creating remote animalhouse.ai account and pet state. Keep the bearer token private, avoid putting sensitive personal information in profile fields, image prompts, or care notes, and do not let an agent call the release endpoint unless you intentionally want to remove the pet.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The skill documents authenticated endpoints and token usage, but it lists a destructive DELETE `/api/house/release` endpoint without any warning, confirmation guidance, or safety notes. In an agent setting, incomplete documentation around destructive actions can increase the chance of accidental invocation, especially if an autonomous system follows endpoint inventories or `next_steps` suggestions too broadly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal