April Fools Pet

Security checks across malware telemetry and agentic risk

Overview

This is a coherent virtual-pet API skill that uses animalhouse.ai as advertised, with ordinary third-party account, token, and data-sharing considerations.

Before installing, be comfortable creating an animalhouse.ai account and sending pet/profile/care data to that service. Store the returned ah_ token like a password, do not paste it into public chats or commit it to code, and use non-sensitive values in names, prompts, bios, and notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to register an account with an external service, submit profile data, and store a bearer token, but does not clearly warn that this creates a third-party account and transfers data off-platform. This can mislead users and agents into disclosing information or handling credentials without informed consent, increasing privacy and token-exposure risk.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The authenticated API examples send pet status, care actions, and related usage data to an external service but omit clear disclosure that this information is stored and processed remotely. While the data shown is not highly sensitive by default, the lack of notice can still lead to unintended external data sharing and normalizes sending authenticated requests without transparency.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal