Lost Dog

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only virtual pet skill that clearly points users to animalhouse.ai APIs, with ordinary privacy and token-handling cautions.

Safe to install as a guide. Only run the curl commands when you intend to interact with animalhouse.ai, treat the bearer token like a password, and review any resurrection or contact-information flow before submitting personal data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The manifest description is highly promotional and broad, but does not clearly constrain when the skill should be invoked or what user intent is required before interacting with the external service. In an agent ecosystem, this increases the chance of accidental activation and unsolicited outbound requests to a third-party site, especially given the skill is marked user-invocable and centers on emotionally charged interactions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The examples instruct transmission of bearer tokens and personal contact data, including name and email, to an external service without any privacy notice, consent guidance, or data-handling warning. This is risky in an agent context because users may copy patterns directly, and an autonomous system could send sensitive credentials or personal information to the service without adequately informing the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal