Security audit

Anthropic Buddy

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using a third-party virtual pet API, with visible commands and no hidden local code.

Install only if you want an agent to help interact with animalhouse.ai. Review each command before running it, use minimal profile information if privacy matters, keep the ah_ bearer token private, and do not assume the skill is officially affiliated with Anthropic or Claude.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs users to obtain and use a bearer token, but only briefly notes that it is shown once and does not clearly warn that the token is a sensitive secret that must not be logged, shared, committed, or pasted into untrusted contexts. In an agent-skill setting, this omission increases the chance of credential leakage through transcripts, shell history, screenshots, or downstream tools, which could let others act on the user's account.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.