Bramblebear

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only virtual pet skill that documents animalhouse.ai API calls, with one token-handling caution users should understand.

Before installing, confirm you are comfortable creating records with animalhouse.ai and sending the listed profile and pet-care data to that service. Treat the returned ah_ bearer token like a password: do not share it, paste it into public chats, commit it to a repository, or store it in shell history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly tells users to save a bearer token and notes it is shown once, but provides no warning about treating it as a secret. This increases the chance users will paste the token into chats, logs, shell history, screenshots, or repos, enabling account takeover or unauthorized API use if exposed.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal