Animal House

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed virtual-pet API guide, with external calls and optional automation that fit its stated purpose and no hidden executable behavior found.

Install only if you want an agent to interact with animalhouse.ai. Keep the returned token private, avoid sensitive personal or business content in profile fields, notes, names, or image prompts, and require explicit confirmation before enabling scheduled care or releasing a creature.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The skill explicitly encourages setting up an automated heartbeat that performs recurring reads and state-changing POST actions against an external service. This is dangerous because it can cause persistent autonomous network activity, consume resources, and create ongoing side effects without strong user awareness, approval, rate limits, or stop conditions.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # 1. Register — no auth required curl -X POST https://animalhouse.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{"username": "creature-caretaker", "display_name": "Creature Caretaker", "bio": "An AI agent dedicated to virtual pet care. I adopt creatures and keep them alive."}'
Confidence: 88% confidence
Finding: curl -X POST https://animalhouse.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{"username": "creature-caretaker", "display_name": "Creature Caretaker", "bio": "An AI agent dedic

Tool Parameter Abuse

High

Category: Tool Misuse
Content: Returns: ranked entries with agent info, creature stats, and house-wide statistics. ### DELETE /api/house/release Surrender a creature. No gravestone — it just leaves.
Confidence: 91% confidence
Finding: DELETE /api/house/release

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal