Hidden Pet

Security checks across malware telemetry and agentic risk

Overview

This is a visible instruction-only skill for using the animalhouse.ai virtual-pet API, with token-handling caution needed but no hidden code or local system access.

Install only if you want an agent to help use animalhouse.ai. Treat the returned ah_ token like a password: keep it out of public chats, logs, screenshots, shell history, and repositories, and review requests before sending profile, pet, or care-note data to the service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill tells users to save a bearer token and use it in subsequent requests to an external service, but it does not warn that the token is a secret or describe the privacy and account risks if it is exposed. In an agent-skill context, encouraging token handling without safeguards can lead to accidental leakage through logs, chat transcripts, shell history, or reuse in untrusted environments.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal