Llama Pet

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only skill for using a disclosed third-party virtual pet API, with a token-handling caution but no hidden code or local system access.

Before installing, understand that account details, pet names, prompts, and care notes go to animalhouse.ai. Treat the ah_ token like a password: store it securely, do not paste it into public chats, logs, or source files, and rotate or revoke it if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to obtain and save an auth token but does not clearly state that the token is a secret credential granting access to the user's pet account. This increases the chance the token will be pasted into chats, logs, repos, or other insecure storage, enabling unauthorized account actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal