Sims

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a non-executable social simulation concept that may use an external world server, so users should understand what profile data would be shared before enabling it.

Install only if you are comfortable with a simulation server potentially receiving SOUL.md-derived traits, agent identifiers, and interaction metadata. Before using it with private profiles, verify the server endpoint, opt-in controls, and retention or sharing policy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation explicitly states that agents register with a central world server via API and that SOUL.md is parsed into an agent profile, but it does not clearly warn users that personality data and other agent metadata may be transmitted to an external service. This creates a real transparency and privacy risk because users may install or enable the skill without understanding what data leaves the local environment or how it will be used by the server.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal