Security audit

Lattice — Adopt a Lattice. AI-Native Pet. 晶格。Retícula.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet skill that clearly uses animalhouse.ai APIs, with no hidden code or local execution, though users should be careful with account tokens and destructive pet actions.

Install only if you want an agent to interact with animalhouse.ai for a virtual pet. Store the bearer token securely, avoid logging it, and require explicit confirmation before adoption, scheduled care, species creation, or especially releasing/deleting a pet.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents a destructive `DELETE /api/house/release` endpoint without explaining whether it is irreversible, what data is lost, or whether confirmation is required. In an agent context, that omission can cause accidental permanent deletion of a user's pet or account state if an automated workflow follows endpoint documentation too literally.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.