Back to skill

Security audit

Maine Coon — Adopt a Maine Coon. Cat. 缅因猫。Gato Maine Coon.

Security checks across malware telemetry and agentic risk

Overview

This is a transparent, instruction-only virtual pet skill that uses animalhouse.ai APIs to adopt and care for a virtual Maine Coon.

Install this only if you want your agent to interact with animalhouse.ai. Treat the returned bearer token like a password, review any scheduled care automation before enabling it, and require explicit confirmation before using release or non-Maine-Coon adoption actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a narrowly scoped Maine Coon adoption/care skill, but it documents a much broader API including registration, species browsing, graveyard/history access, and house-management operations. This scope mismatch can cause an agent or user to grant trust and credentials for a limited purpose while the skill actually enables unrelated actions, increasing the chance of overprivileged use and unintended data or state changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Exposing `DELETE /api/house/release` in a skill whose stated purpose is adopting and caring for a Maine Coon introduces an unnecessary destructive capability. If an agent follows the skill blindly or the endpoint is triggered by prompt confusion, the pet could be permanently released or deleted without a user expecting that risk from this skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including species catalog browsing and cross-family adoption capabilities expands the skill beyond Maine-Coon-specific behavior and undermines the principle of least privilege. In context, this makes the skill more dangerous because an agent invoked for a single cat type could perform unrelated discovery or adoption actions across many species, creating unintended account changes or resource usage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.