Lost Cat

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only virtual pet skill that uses animalhouse.ai API examples and does not install code or run hidden actions.

Reasonable to install if you want this animalhouse.ai guide. Before running POST requests, especially resurrection, confirm the cost and data handling, keep bearer tokens private, and avoid entering sensitive personal information in public names, bios, notes, image prompts, or memorial content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes examples that send authentication tokens and personally identifiable information such as display names, bios, contact names, and email addresses to an external service, but it provides no privacy or consent warning. In a skill for AI agents, this is risky because users or agents may follow the examples verbatim and disclose sensitive data to a third-party endpoint without understanding retention, visibility, or billing implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal