Penguin Penguin

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward virtual-pet API guide, with the main caution being that its account token should be handled like a password.

Install only if you are comfortable creating an animalhouse.ai virtual-pet account and letting the agent make authenticated care/status requests. Treat YOUR_TOKEN as a real secret, prefer an environment variable over pasting the token directly into commands, and review any scheduled heartbeat before enabling automatic care actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation instructs users to use a bearer token in curl commands but does not warn that tokens can leak through shell history, terminal logs, screenshots, CI logs, or copied commands. If exposed, the token could let another party access and manipulate the user's pet/account data through the documented authenticated endpoints.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal