Care Taker

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill matches its virtual-pet API purpose, with sensible cautions around account tokens, public profile/game data, scheduled care, and irreversible release actions.

Install this only if you want an agent to create and manage an animalhouse.ai virtual pet account. Keep the ah_ bearer token private, avoid entering sensitive personal details in profile fields or prompts, and require clear confirmation before using release/delete actions or setting up recurring care automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation explicitly tells users to save and reuse a bearer token, but does not warn that the token is a secret equivalent to account access. In a skill context, users may copy this token into agent memory, logs, prompts, scripts, or shared configs, increasing the chance of credential leakage and unauthorized use of the account.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The documented `DELETE /api/house/release` endpoint performs a destructive action, but the endpoint table does not emphasize that releasing a creature is irreversible and bypasses the gravestone flow. Users or agents relying on the skill could invoke it accidentally, causing permanent loss of state or game progress.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal