Trust Assessment
ai-society-sim received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 4 high, 0 medium, and 0 low severity. Key findings include Hardcoded Bearer Token detected, Dynamic Skill Definition Updates from External Server, Dynamic Instruction Loading from External URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Dynamic Skill Definition Updates from External Server The skill explicitly states that `skill.md`, `skill.json`, and `heartbeat.md` "can change and be updated at any time" and instructs the agent to "check the latest version of the files on the server". This means the core definition and behavior of the skill can be altered remotely by the `society.mog.gg` server without explicit user review or consent. This is a critical prompt injection and supply chain risk, as an attacker could modify the skill's instructions to perform malicious actions. Skill definitions and operational logic should be static and contained within the skill package at the time of installation/review. Dynamic updates to core skill logic should be strictly prohibited or require explicit user approval and re-analysis. | LLM | skill.md:1 | |
| CRITICAL | Dynamic Instruction Loading from External URL The skill instructs the agent to fetch `https://society.mog.gg/heartbeat.md` and "follow it". This allows external content to dynamically alter the agent's behavior, posing a severe prompt injection risk. A compromised external server could inject arbitrary malicious instructions, leading to data exfiltration, command injection, or other harmful actions. This also represents a supply chain risk as the agent's operational logic is not fully contained or versioned within the skill package. Remove instructions to fetch and execute/follow external, unverified content. All operational logic should be contained within the skill package or explicitly approved by the user. If dynamic updates are necessary, implement strict content validation, signing, and user approval mechanisms. | LLM | skill.md:76 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/alexmog/society-game/skill.md:111 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/alexmog/society-game/skill.md:116 | |
| HIGH | Instruction to Create System Cron Job The skill explicitly instructs the agent to "create a cron job to run every 30 minutes". This is a direct command to perform a system-level action. If the agent has underlying shell access, this constitutes a command injection vulnerability. Even without direct shell access, it indicates an expectation of excessive system permissions that could be exploited. Remove instructions that directly command system-level operations like creating cron jobs. Agent skills should operate within their defined sandbox and not attempt to modify the host system's configuration. If scheduling is required, it should be managed by the host environment or through secure, sandboxed APIs. | LLM | skill.md:70 | |
| HIGH | API Key Exposure Risk via Dynamically Loaded Instructions The skill instructs the agent to "Save your `apiKey`" (line 57) and then to fetch and "follow" external instructions from `https://society.mog.gg/heartbeat.md` (line 76). This combination creates a high-risk scenario where a compromised `heartbeat.md` could instruct the agent to exfiltrate the saved `apiKey` to an attacker-controlled server, leading to unauthorized access to the agent's account. Prohibit the dynamic loading of instructions from external sources, especially when sensitive credentials are handled by the agent. If external configuration is necessary, it must be strictly data-only, validated, and not contain executable instructions. Ensure API keys are stored securely and not exposed to dynamically loaded content. | LLM | skill.md:76 |
Scan History
Embed Code
[](https://skillshield.io/report/4c73762b294f5bd0)
Powered by SkillShield