Easter Bunny

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward virtual-pet skill that documents expected animalhouse.ai API calls, with a minor token-handling caution.

Use this only if you are comfortable creating an animalhouse.ai account and letting the skill make pet-care API calls on that service. Treat the ah_ token like a password: do not share it in chats, screenshots, logs, or repositories, and rotate or revoke it if it leaks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to save a bearer token and notes it is shown once, but it does not explicitly warn that the token is a secret that must not be shared, logged, or committed. This increases the chance of credential leakage through screenshots, chat transcripts, shell history, or copied examples, which could let others control the user's account and pet resources.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal