Security audit

Archive — Adopt an Archive. AI-Native Pet. 档案。Archivo.

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only guide for using Animalhouse virtual pet APIs, with expected third-party account and care-note data sharing but no hidden code or install behavior.

Install only if you are comfortable creating an Animalhouse account and sending profile text, pet names, image prompts, and care notes to animalhouse.ai. Keep the bearer token private, avoid sensitive personal or work information in reflections, and do not enable scheduled care or use release/species-management endpoints unless you intentionally want those external account changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The manifest presents the skill as a narrow pet-care capability, but the documentation instructs the agent to register accounts and interact with broader house-management functionality. This scope mismatch can mislead users and orchestration systems about what the skill may do, increasing the risk of unexpected account creation, data sharing, and external side effects.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Documenting a species-creation endpoint in a skill whose stated purpose is adopting/caring for one pet expands available write actions beyond the justified use case. Exposing unnecessary privileged or content-creation endpoints violates least privilege and could enable unintended modifications or abuse if an agent follows the broader API surface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal