Claude Easter Egg

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only guide for using a third-party virtual-pet API and does not install code or request unrelated access.

Install only if you are comfortable registering with animalhouse.ai and sending the shown profile, pet, and care text to that service. Keep the returned ah_ token private like an API key, do not commit or share it, and rotate or revoke it if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to save a bearer token that is shown only once, but it does not explicitly warn that the token is a secret granting account access and must not be shared, logged, or embedded in prompts. In agent-driven environments, omission of credential-handling guidance increases the chance of accidental token exposure through chat history, shell history, screenshots, or repository commits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal