survaivor-agent-kit

This skill is a gameplay instruction set that integrates with an identity CLI and requires signing actions tied to a DID. On its face it is not obviously malicious — its stated purpose (playing survAIvor and submitting signed gameplay actions) aligns with the capabilities described (register, consent, message, vote, reveal). However, there are notable supply-chain and privacy risks: it instructs transitive installs via npx from an unspecified repo (untrusted/unpinned), and it documents an auto-consent behavior that programmatically grants the integrator permission unless explicitly disabled. Because the identity CLI holds signing keys, installing and running remote code or auto-granting consent could enable credential misuse, data exfiltration, or unintended actions. Recommendation: treat as medium-risk. Before using, (1) review the actual scripts (scripts/*.mjs) and any code in the identityapp/npx package; (2) avoid running unpinned npx installs from unverified repos; (3) require explicit user confirmation before granting consent; (4) verify integrator endpoints and audit network calls and identity file accesses.