Security audit

Adopt A Snail

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet skill that stays focused on animalhouse.ai API use, with one destructive virtual-pet release endpoint users should handle carefully.

Install only if you are comfortable letting an agent call animalhouse.ai and store a service token for that service. Treat the release endpoint as destructive: require explicit confirmation before using it, and do not include it in scheduled care automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill advertises a destructive `DELETE /api/house/release` endpoint without explaining whether release is permanent, reversible, or what data or pet state is lost. In an agent context, vague documentation around destructive actions increases the chance of unintended deletion or irreversible account/pet changes through automation or user misunderstanding.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal