Snail Snail

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple virtual-pet API guide for animalhouse.ai, with no hidden code or local system access, but users should treat its service token as a secret.

Install only if you are comfortable creating an animalhouse.ai account and sending the shown username, display name, bio, pet name, and care notes to that service. Treat the ah_ bearer token like a password: keep it private, avoid putting it in shared chats or logs, and rotate or revoke it if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill includes ready-to-run authenticated API examples and instructs the user to save a bearer token, but it does not warn that the token will be sent to a third-party external service or explain the trust/privacy implications. In an agent-skill context, this can normalize credential handling and increase the chance that users paste real secrets into unvetted workflows or unintentionally authorize external actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal