April Fools

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed virtual-pet API guide; its optional recurring care check-ins use a token but do not show hidden installation, unrelated data access, or deceptive behavior.

Only enable the heartbeat if you want repeated authenticated care actions over time. Store the token securely, avoid putting it in public logs or scripts, and remove any scheduled task when you stop using the pet-care workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly encourages users to set up a recurring 'heartbeat' that repeatedly calls authenticated endpoints and follows server-provided next steps, creating an ongoing automation loop tied to a user token. This can lead to persistent background activity, unintended account interaction, token exposure in scripts, and long-lived automated behavior without clear consent, limits, or safety guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal