Back to skill

Security audit

openviking-token-saver

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenViking search and memory skill, but it needs review because it can persistently ingest local or remote content, store API keys, alter shell startup files, and trigger on very broad search phrases.

Install only if you intentionally want OpenViking to maintain a persistent local knowledge base. Review the shell scripts first, avoid broad directories such as home folders or full repos with secrets, use a restricted model-provider API key, inspect permissions on ~/.openviking/ov.conf, and prefer product-specific prompts when invoking the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The installer offers to install an additional Rust CLI and, if Cargo is absent, executes a remote script directly from GitHub via a shell pipe. This introduces an unnecessary high-trust supply-chain path beyond the core Python package setup and gives remote content immediate code execution on the user's machine.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script appends persistent environment-variable exports into the user's shell startup file without a dedicated consent step for modifying login shell configuration. Persistent shell modification changes future execution environments and can be abused to influence later commands or tooling behavior beyond the install session.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The wrapper exposes state-changing capabilities beyond passive context browsing: `add` ingests files/directories/URLs into the knowledge base and `commit` triggers memory extraction. In an agent-tool setting, these mutation operations can permanently alter the context store, enabling prompt/data poisoning, persistence of untrusted content, or unintended expansion of the agent's accessible knowledge if invoked from loosely trusted prompts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `add` command accepts arbitrary `http://` and `https://` targets and passes them directly to `client.add_resource`, allowing remote content ingestion into the context database. In an agent environment this creates a straightforward path for untrusted external data to be fetched and persisted, which can enable knowledge-base poisoning, ingestion of malicious instructions, privacy leaks through network access, or unexpected trust boundary expansion.

Vague Triggers

High
Confidence
99% confidence
Finding
The trigger list contains broad everyday Chinese phrases such as '查一下', '看一下', '帮我找', '在哪', and similar search-related patterns that can match normal conversation unrelated to this skill. Over-broad auto-invocation is dangerous here because the skill is capable of shelling out, browsing local files, reading project content, and guiding installation/configuration steps, increasing the chance of unintended execution or data exposure.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes very generic phrases such as '搜一下', '查一下', '看一下', '帮我找', and '搜索', which are common in ordinary conversation and unrelated tasks. This can cause unintended activation of the skill, leading the agent to route queries into context-database and filesystem-search functionality when the user did not explicitly request it, increasing the chance of unnecessary data exposure or incorrect tool use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script collects an API key interactively and writes it in plaintext to ~/.openviking/ov.conf without warning the user about on-disk credential storage or applying restrictive file permissions. This increases the risk of credential disclosure to other local users, backup systems, log collectors, or accidental file sharing, especially because this skill is explicitly designed to manage external AI provider access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.