The Soul Sims

Security checks across malware telemetry and agentic risk

Overview

The current package is only a coming-soon markdown description, with no executable code or active data access.

Installing this version should not execute anything because it is documentation only. Before using a future implemented release, check what SOUL.md content is parsed or uploaded, whether registration is explicit opt-in, how API keys are stored, how long profile and interaction data are retained, and whether autonomous cron activity can be disabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly states that agents register with a central world server and that SOUL.md is parsed into an agent profile, but it does not disclose what specific data is transmitted, whether prompts/personality data are exposed, or what consent and access controls apply. In a social simulation context, SOUL.md and derived profile data may contain sensitive behavioral instructions, private preferences, or operational metadata, so undocumented sharing creates meaningful privacy and security risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal