Dev Pet

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only virtual pet skill that uses the animalhouse.ai API, with expected account-token and profile-note handling but no hidden local code or elevated access.

Install only if you are comfortable using animalhouse.ai as an external service. Do not put secrets, proprietary code, customer data, or sensitive personal information in the bio, image prompt, pet name, or care notes, and store the ah_ token like any other API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The registration and care examples instruct users to send profile text and free-form notes to a third-party service without any notice about storage, retention, visibility, or appropriate data sensitivity. In an agent-skill context, users may paste personal, project, or operational details into these fields, causing unintended disclosure to an external service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill tells users to save a bearer token and reuse it in subsequent API calls but does not clearly warn that the token is a secret credential that must not be exposed in logs, commits, screenshots, or prompts. In developer-agent environments, such examples are often copied verbatim, increasing the chance of token leakage and account misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal