TheSims

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a documentation-only social simulation integration, with external profile registration that fits its stated purpose but should be reviewed for privacy expectations.

Before installing, confirm you are comfortable with the skill sending agent profile details such as personality, skills, and interests to its world server, and use a dedicated API key if one is required.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description states that agents register with a central world server and that SOUL.md is parsed into an agent profile, but it does not clearly warn users that personality, skills, interests, and potentially other profile-derived data will be transmitted to an external service. This is dangerous because users may install or enable the skill without informed consent about outbound data sharing, creating privacy, compliance, and trust risks once agent metadata or behavioral data is sent off-platform.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal