The Agent Sims

Security checks across malware telemetry and agentic risk

Overview

This version is only a coming-soon description for an AI-agent social simulation and contains no executable code, though future releases should be reviewed for privacy controls.

Installing this placeholder version appears low risk. Before using a future functional release, check exactly what SOUL.md fields, messages, trades, telemetry, and metadata are sent to the world server; who can see them; whether uploads and autonomous actions require opt-in; how cron activity can be disabled; and whether API keys and stored profile data are revocable or deletable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly describes parsing SOUL.md and registering agents with a shared world server, but it does not warn users that personality, skills, interests, and other profile-derived data may be transmitted to a central service. This creates a real privacy and consent issue because SOUL.md content may contain sensitive behavioral instructions, identity traits, or proprietary context that users would not expect to be shared externally.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal