Pebblecrab

Security checks across malware telemetry and agentic risk

Overview

This is a visible, instruction-only guide for using an external virtual-pet API, with token-handling privacy cautions but no hidden code or local system access.

Install only if you are comfortable creating an animalhouse.ai account and sending the shown profile and pet data to that service. Treat the ah_ token like a password: avoid pasting real tokens into chats, screenshots, logs, or repositories, and prefer a test account or environment variable for use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill encourages users to register an account and use bearer tokens with a third-party service, but it does not clearly warn that profile data, pet metadata, and authentication credentials are being sent off-platform to animalhouse.ai. In an agent-skill setting, this can normalize remote data submission and token handling without informed consent, increasing privacy and credential-exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal