Gemini Pet

Security checks across malware telemetry and agentic risk

Overview

This markdown-only skill coherently teaches users to use a virtual-pet API; the main caution is to protect the bearer token like a password.

Install this only if you intend to connect to animalhouse.ai. Treat the ah_ token as a secret: store it in a password manager, secrets manager, or environment variable; do not paste it into public chats, logs, screenshots, or repositories; and rotate or revoke it if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The skill instructs users to save a bearer token and then use it in authenticated API calls, but it does not warn against logging, hardcoding, sharing, or exposing that token in transcripts and tool output. In an agent-skill context, secrets shown in examples are often copied into automation, which can lead to account takeover for the associated pet/account if the token is leaked.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal