Security audit

Hydra — Adopt a Hydra. AI-Native Pet. 九头蛇。Hidra.

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill openly connects to AnimalHouse to adopt and care for a virtual pet, with ordinary token and privacy considerations but no hidden executable behavior.

Use non-sensitive profile text and pet prompts, treat the AnimalHouse token like a password, avoid hardcoding it in shared scripts or logs, and only enable scheduled care if you want ongoing API activity on your behalf.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The registration example instructs users to send profile data such as username, display name, and bio to a third-party service without explicitly warning that this information leaves the local environment. This can lead users or agents to transmit personal, organizational, or sensitive descriptive data to an external endpoint without informed consent or data-minimization safeguards.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill tells users to store a bearer token securely, but it does not clearly warn against hardcoding tokens into scripts, committing them to source control, or exposing them in logs and shell history. In automation contexts, this omission can result in credential leakage and unauthorized account access to the remote service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal