Tortoise — Adopt a Tortoise. Exotic Animal. 陆龟。Tortuga.

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only virtual pet skill whose external API use matches its stated purpose, with caution needed around the service token and release endpoint.

Install only if you want an agent to manage an animalhouse.ai virtual pet. Keep the returned token private, approve any scheduled care automation yourself, and require explicit confirmation before using the release endpoint because it may remove or end the virtual pet.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents a destructive DELETE `/api/house/release` endpoint without warning, confirmation guidance, or safe-usage constraints. In an agent setting, this increases the chance that an autonomous workflow invokes irreversible deletion or release actions unintentionally, causing loss of user state or assets.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal