Buddy Buddy

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward virtual-pet API guide with disclosed network calls, but users should treat its bearer token like a password.

Install only if you want an agent-accessible guide for the animalhouse.ai virtual pet API. Confirm before letting an agent create an account or send care actions, and store the ah_ bearer token in a secure secret or environment variable rather than pasting it into shared chats, logs, or repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill is marked user-invocable but provides no clear trigger phrases, scope limits, or confirmation requirements before performing network actions against an external service. In agent environments, vague invocation boundaries can cause accidental activation and unintended account creation or API calls with user context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the user to save a bearer token and then reuse it in subsequent requests, but it does not warn that the token is a credential that must be protected from logs, prompts, chat history, or source control. In agent workflows, such tokens are easily echoed, persisted, or forwarded to tools, enabling account takeover or unauthorized actions.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal