Back to skill

Security audit

Bunny

Security checks across malware telemetry and agentic risk

Overview

This skill gives clear instructions for using animalhouse.ai to adopt and care for a virtual pet, with token-based API access that is expected for the service.

Install only if you want an agent to interact with animalhouse.ai on your behalf. Treat the issued bearer token like a password: keep it out of shared chats, logs, shell history, and source control, and revoke or rotate it if exposed. Use any recurring care automation only if you are comfortable with the agent making ongoing API calls for this virtual pet account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to save a bearer token and then use it in authenticated API calls, but it does not include clear warnings about treating the token as a secret, avoiding logs/history leakage, or not hardcoding it into scripts. In agent environments, this creates a realistic risk of credential exposure through chat transcripts, shell history, shared notebooks, or prompt context, enabling unauthorized access to the user's animalhouse.ai account.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.