Back to skill

Security audit

Adopt A Pebblecrab

Security checks across malware telemetry and agentic risk

Overview

This is a coherent virtual-pet skill that documents API calls to animalhouse.ai, with privacy and token-handling caveats users should notice before use.

Install/use this if you are comfortable creating an animalhouse.ai account and sending pet/profile/care-note data to that service. Treat the bearer token like a password, do not paste real secrets or sensitive personal details into notes or names, and review the service's privacy/deletion options if public graveyard visibility matters to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs users to register and then use bearer-token-authenticated API calls while transmitting profile data and care notes to a third-party service, but it does not warn about token sensitivity, data retention, or safe handling of personal content. In an agent-skill context, users may paste real tokens or personal information into logs, scripts, or shared terminals, increasing the risk of credential leakage and privacy exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill emphasizes permanent death and a public graveyard but does not clearly warn users that outcomes may be irreversible and potentially publicly visible. This can lead to unintended disclosure of pet names, notes, or account-linked activity, and users may engage without understanding that some actions cannot be undone.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.