Lost Animal

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform user-directed Animalhouse account/profile workflows, with expected personal-data sharing but no evidence of hidden or destructive behavior.

Before installing, treat this as a skill that may send profile and contact information to animalhouse.ai. Use placeholders where possible, share only information you intend to disclose, and confirm the service's privacy terms before using registration or recovery flows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs agents/users to submit personal data such as username, display name, bio, contact name, and email to an external service without any privacy notice, data-handling warning, or consent guidance. In an agent context, this is risky because operators may blindly follow examples and disclose identifying information to a third party, especially for the resurrection flow that explicitly collects contact details.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal