ClawHub

OpenViking Setup

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for setting up OpenViking, but it needs Review because it runs unverified remote installer code and persists API keys and memory state without enough safeguards.

Review before installing. Prefer a pinned or verified OpenViking release instead of the curl-to-bash command, avoid storing raw API keys in plaintext when possible, restrict permissions on any local config file, and do not run the health check against production memory unless you accept that it may add a test entry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def check_cli():
    """Check if ov_cli is available."""
    result = subprocess.run("ov_cli --version", shell=True, capture_output=True)
    if result.returncode == 0:
        print("✓ OpenViking CLI installed")
        return True
Confidence
90% confidence
Finding
result = subprocess.run("ov_cli --version", shell=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd: str, check: bool = True) -> tuple[int, str, str]:
    """Run a shell command and return exit code, stdout, stderr."""
    result = subprocess.run(
        cmd,
        shell=True,
        capture_output=True,
Confidence
93% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill contains operational capabilities including shell execution, file writes, and use of environment-backed secrets, yet it declares no permissions or safety boundaries. That mismatch can cause an orchestrator or user to invoke a skill with side effects they were not clearly warned about, increasing the chance of unintended system modification or secret exposure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
A file labeled as a health check is expected to validate state, not mutate persistent application data. Here, the operations test writes a new memory entry to the OpenViking store, which can pollute the agent's long-term memory and create unintended side effects in downstream behavior.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The main flow automatically triggers a state-changing database write when the basic checks pass, despite the script presenting itself as verification. In an agent memory system, even benign test data can persist and affect retrieval, context ranking, or later automated decisions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script downloads a remote installer from GitHub and pipes it directly to bash, giving whoever controls that content immediate code execution on the host. In a setup skill, this is especially dangerous because users expect to run it locally with their own permissions, making supply-chain compromise or upstream account compromise highly impactful.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to match generic requests about memory, context databases, or tiered memory, which could cause accidental invocation in unrelated situations. When a skill performs installs and configuration changes, overbroad triggering materially increases the risk of unrequested shell commands and persistent filesystem changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs installation and creation of a persistent configuration file in the user's home directory without any user-facing warning that it will modify the system. In a tool-using agent context, omission of explicit consent steps makes these side effects dangerous because they can be carried out automatically or with insufficient user awareness.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill recommends piping a remotely fetched script directly into `bash`, which executes unreviewed code from the network with the user's privileges. This is especially dangerous in an agent skill because it creates a direct path from remote content to code execution, enabling supply-chain compromise or tampered installer execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs a write operation without warning or obtaining confirmation from the user. In a setup/health-check skill, silent persistence is especially problematic because operators reasonably expect diagnostics to be side-effect free.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer executes a remote shell script without first warning the user or asking for confirmation. That removes an important safety checkpoint for a high-risk action and increases the chance that users will unknowingly execute unreviewed code.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores the API key in a local JSON config file under the user's home directory without warning about credential persistence or setting restrictive file permissions. If the file is readable by other local users, included in backups, or accidentally committed, the credential can be exposed.

Session Persistence

Medium
Category
Rogue Agent
Content
curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash
```

### Step 2: Create Configuration

Create `~/.openviking/ov.conf`:
Confidence
82% confidence
Finding
Create Configuration Create `~/.openviking

External Script Fetching

Low
Category
Supply Chain
Content
pip install openviking --upgrade --force-reinstall

# CLI tool
curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash
```

### Step 2: Create Configuration
Confidence
97% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
pip install openviking --upgrade --force-reinstall

# CLI tool
curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash
```

### Step 2: Create Configuration
Confidence
99% confidence
Finding
| bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal