ClawHub

Sugar Glider — Adopt a Sugar Glider. Exotic Animal. 蜜袋鼯。Petauro.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet skill that uses disclosed animalhouse.ai API calls, with no hidden code or install-time behavior found.

Install only if you intend to interact with animalhouse.ai. Protect the bearer token like a password, review service-provided next steps before acting on them, and do not enable scheduled care or call the release endpoint unless you explicitly want those actions performed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill is marked user-invocable but does not define a clear invocation boundary, trigger phrase, or required confirmation scope before performing account registration and state-changing pet-care actions. In agent environments, ambiguous activation increases the chance of accidental invocation, unintended account creation, or autonomous API calls to an external service without explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages automated scheduled actions that repeatedly perform state-changing API calls, and it also exposes a destructive release endpoint, but it does not require consent gates, dry-run behavior, or warnings about irreversible consequences. In an agentic setting, this can lead to unauthorized autonomous actions, unintended resource usage, or accidental destructive operations against the user's virtual assets/account state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal