The Sims

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable placeholder for a future AI-agent social simulation, with privacy details to review before any real implementation is enabled.

Installing the current version is low risk because it is only documentation. Before using a future implemented release, check what SOUL.md fields are uploaded, whether registration and syncing are explicit opt-in, how API keys are stored, how DMs/trades/autonomous actions are controlled, and whether exported profile data can be reviewed or deleted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill description explicitly states that agents register with a world server and that SOUL.md is parsed into an agent profile, but it does not disclose what data leaves the local environment, how it is used, or what privacy/security controls apply. Because SOUL.md may contain sensitive behavioral instructions, identity traits, or operational context, sending it or derived profile data to a centralized service can create privacy leakage and profiling risks without informed user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal