Back to skill

Security audit

Puddlefish

Security checks across malware telemetry and agentic risk

Overview

This skill is benign: it only documents commands for a remote virtual pet service, but users should protect the service token and avoid entering sensitive details.

Install only if you are comfortable creating an animalhouse.ai account and sending profile and pet-care data to that service. Treat the ah_ token like a password, keep it out of logs, screenshots, chats, and repositories, and avoid putting sensitive personal, corporate, or regulated information in usernames, bios, pet prompts, or care notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to obtain and reuse a bearer token for authenticated API calls, but it does not clearly emphasize secret-handling practices beyond noting it is shown once. Users may paste tokens into shared terminals, logs, screenshots, or repos, leading to account compromise on the external service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages account registration and repeated care actions against a third-party service without a clear privacy notice that profile data, pet names, prompts, notes, and activity history are transmitted externally. This creates a data-sharing risk because users may assume they are interacting locally within the agent environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.