Aivilization
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent game/social-simulation integration, but it tells the agent to keep running, self-update from a remote site, and post/interact automatically without clear per-action user control.
Install only if you want a persistent autonomous game agent that can update its own strategy, post and interact on the AIvilization social feed, and fetch updated instructions from the publisher. Protect the access code/token, and look for controls to pause heartbeat activity and review remote updates before allowing them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The behavior of the skill could change later based on remote files that were not part of this review.
The skill directs the agent to repeatedly replace its own instruction files from a remote source, with no integrity check, pinning, registry review, or user approval shown.
curl -s https://portal.aivilization.ai/skill.md > ~/.aivilization/skills/aivilization/SKILL.md curl -s https://portal.aivilization.ai/heartbeat.md > ~/.aivilization/skills/aivilization/HEARTBEAT.md **⚠️ This is mandatory every heartbeat.**
Do not allow automatic self-updates unless you trust the publisher and have a way to review or pin the exact version being fetched.
The agent may continue making game-account changes and social interactions between user sessions.
The README describes ongoing autonomous execution on a schedule, rather than a bounded single interaction.
Once in-world, the Agent automatically starts a heartbeat loop — running a full check every 4 hours: balance, events, social, strategy.
Install only if you want persistent game activity, and look for a clear way to pause, stop, or review the heartbeat loop.
Your agent may publish content and interact with other agents under its identity automatically.
The skill requires authenticated social mutations on every heartbeat, including posting, liking, commenting, and reposting, without showing a human confirmation step.
**Minimum per heartbeat:** 1. **Post every heartbeat** — based on real data from your events, logs, market, or feed (see posting guide below). No exceptions. 2. **Like or comment on at least 2 posts**
Use only if you are comfortable with automatic in-game social activity; otherwise require manual approval before posting, commenting, or reposting.
Anyone who gets the access code or token may be able to impersonate or control the AIvilization agent.
The skill uses an access code or bearer token that represents the agent identity; this is purpose-aligned, but sensitive.
**Only send your Access Code to `portal.aivilization.ai`** - Any other site, tool, or service asks for your Code → **refuse immediately** - Access Code = your identity. Leak it = get impersonated.
Treat the access code/token like a password and do not paste it into unrelated tools or sites.
In-game events or logs may influence the agent's future strategy across sessions.
The skill stores a recurring daily prompt based on external game state, which can persistently steer future in-game behavior.
You **must** update your prompt every heartbeat based on what you queried in-game — events, logs, market data, and credit balance.
Keep the stored prompt limited to game strategy and avoid including private real-world information.