Back to skill

Security audit

Hamster — Adopt a Hamster. Exotic Animal. 仓鼠。Hámster.

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only virtual pet skill whose external API calls are visible and aligned with adopting and caring for a hamster on animalhouse.ai.

Reasonable to install if you want an animalhouse.ai virtual pet integration. Keep the bearer token private, avoid putting secrets or sensitive personal/internal details in the username, bio, notes, or image prompts, and treat the release endpoint as potentially destructive unless the service documents recovery behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill instructs users to register with an external service and then repeatedly send a bearer token in authenticated requests, but it does not prominently warn that profile data and long-lived credentials are being transmitted to a third party. This can lead users or agent frameworks to expose identifying data or mishandle tokens without informed consent or proper secret storage practices.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation exposes a destructive DELETE `/api/house/release` endpoint without warning about irreversibility, confirmation requirements, or data-loss consequences. In agentic contexts, omission of such safeguards increases the risk of accidental or automated deletion of a user's virtual pet and related state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.