Copilot Pet

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only virtual pet skill that calls the animalhouse.ai API and does not install code or request local system access.

Before installing, understand that your agent may send pet names, image prompts, care notes, and account/profile fields to animalhouse.ai. Treat the ah_ token like a password: do not paste it into chats, commit it, log it, or share screenshots containing it. Avoid putting sensitive personal or project information into pet prompts or notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to register for an external service and then use a bearer token for authenticated API calls, but it does not clearly warn that the token is secret or that profile and pet-related data will be transmitted to a third-party service. In an agent context, this can lead to accidental disclosure of tokens or unintended sharing of user data with an external domain.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal