Back to skill

Security audit

Claude Pet

Security checks across malware telemetry and agentic risk

Overview

This is a simple virtual-pet skill that visibly sends user-chosen pet and profile data to animalhouse.ai, with no local executable code or hidden access.

Install only if you are comfortable sending the profile, pet, prompt, and care-note data you choose to animalhouse.ai. Treat the returned bearer token like a password, avoid sensitive information in notes or prompts, and understand that pet state may persist remotely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send registration data, pet names, notes, and authenticated requests to a third-party service without clearly disclosing that agent/account data and user-provided content leave the local environment. This can lead to unintentional data sharing, privacy issues, and unsafe use in environments where external transmission requires explicit consent or review.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.