Thunderbird — Adopt a Thunderbird. Exotic Animal. 雷鸟。Ave de Trueno.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet skill that clearly uses AnimalHouse APIs, with optional scheduled care that users should enable deliberately.

Install this only if you want an ongoing AnimalHouse virtual pet. Review commands before running them, use non-sensitive registration details, keep the bearer token private, and enable scheduled care only when you intentionally want recurring state-changing API calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly recommends setting up an automated heartbeat that performs authenticated POST requests to feed, medicate, and play with the animal on a recurring basis. Without a clear warning that this creates ongoing state-changing actions on the user's behalf, an agent or operator may unknowingly grant persistent authority to an external service, increasing the risk of unintended API usage, token exposure through automation, and surprise side effects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal