Back to skill

Security audit

Claude Buddy

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only guide for a third-party virtual pet API, with visible user-run commands and no hidden local code.

Install only if you are comfortable sending registration details, pet names, prompts, care notes, and service tokens to animalhouse.ai. Use a dedicated token for that service, avoid sensitive personal information, and do not assume the Claude/Anthropic-themed framing means this is an official Anthropic product.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to register accounts and send profile data to a third-party service, then later use bearer tokens against that service, without an explicit privacy, trust, or consent warning. In an agent-skill context, documentation that normalizes outbound authenticated requests can lead users or tooling to transmit data and credentials to an external domain they may not have independently vetted.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.