OpenViking Light

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local knowledge search and MiniMax-based RAG tool, but users should understand that generated answers send retrieved knowledge to MiniMax and that missing dependencies may be installed at runtime.

Install only if you are comfortable with a persistent local knowledge store and MiniMax processing for generated answers. Use search.py for local-only retrieval, avoid storing secrets or sensitive notes, set MINIMAX_API_HOST only to a trusted HTTPS MiniMax endpoint, and consider installing/pinning jieba yourself before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (22)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: import jieba except ImportError: print("正在安装 jieba 分词器...") os.system(f"{sys.executable} -m pip install jieba -q") import jieba DATA_FILE = Path.home() / ".openviking/light/data/bm25_store.json"
Confidence: 97% confidence
Finding: os.system(f"{sys.executable} -m pip install jieba -q")

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: import jieba except ImportError: print("正在安装 jieba 分词器...") os.system(f"{sys.executable} -m pip install jieba -q") import jieba DATA_DIR = Path.home() / ".openviking/light/data"
Confidence: 94% confidence
Finding: os.system(f"{sys.executable} -m pip install jieba -q")

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: import jieba except ImportError: print("正在安装 jieba 分词器...") os.system(f"{sys.executable} -m pip install jieba -q") import jieba DATA_FILE = Path.home() / ".openviking/light/data/bm25_store.json"
Confidence: 97% confidence
Finding: os.system(f"{sys.executable} -m pip install jieba -q")

Tainted flow: 'req' from os.environ.get (line 100, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: method="POST" ) try: with urllib.request.urlopen(req, timeout=60) as resp: result = json.loads(resp.read()) if "choices" not in result: raise RuntimeError(f"Chat failed: {result}")
Confidence: 98% confidence
Finding: with urllib.request.urlopen(req, timeout=60) as resp:

Tainted flow: 'req' from os.environ.get (line 132, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: method="POST" ) try: with urllib.request.urlopen(req, timeout=60) as resp: result = json.loads(resp.read()) if "choices" not in result: raise RuntimeError(f"Chat failed: {result}")
Confidence: 96% confidence
Finding: with urllib.request.urlopen(req, timeout=60) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation exposes capabilities that read environment variables, write local files, invoke shell commands, and send data over the network, but it does not declare permissions or boundaries for those actions. This creates a trust and review gap: the skill can access secrets such as API keys, persist user data locally, and exfiltrate queries to an external service without an explicit permission model.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The skill metadata and comments suggest a local/lightweight implementation, but the code sends user queries and retrieved knowledge to the external MiniMax API. This mismatch is dangerous because users may disclose private memory content under the false assumption that processing is local-only.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Automatically installing a package during execution is outside the expected behavior of a simple query skill and causes code from an external package repository to run without prior review. In a security-sensitive environment, that expands the supply-chain and execution surface beyond what the user likely expects.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The docstring states the BM25 retrieval is local and API-free, but the script performs external API-based answer generation using retrieved content and the user query. This misleading framing increases the risk of accidental data disclosure because users and operators may not realize sensitive content is leaving the host.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill description claims a pure local implementation with no external model/API dependency, but the ask flow sends prompts and retrieved knowledge to a remote MiniMax API. This mismatch is security-relevant because users may place sensitive memory content into the store under the false assumption it never leaves the machine.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Installing dependencies at runtime through pip is not necessary for the core retrieval logic and expands the trust boundary at execution time. It can trigger unintended package downloads and code execution from external repositories without review, which is inappropriate for a simple knowledge-base script.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The module advertises itself as a pure local tool with no external API use, but it performs a runtime package installation that can reach external package repositories. This discrepancy is security-relevant because it misleads operators about network behavior and trust boundaries, making unexpected code download and execution more likely to go unnoticed.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: A lightweight local knowledge search script has no strong operational need to invoke pip through the shell during execution, so this behavior is unjustified and materially increases risk. Package installation can execute untrusted code during build/install steps and may alter the environment persistently, turning a simple search action into a code-execution event.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README presents the system as largely local and emphasizes that retrieval runs locally, but it does not clearly warn users that RAG question content is transmitted to the external MiniMax API for answer generation. In a knowledge-base skill, users may submit sensitive memory, prior conversation content, or proprietary notes, so missing disclosure can lead to unintended exfiltration of confidential data to a third-party service.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad and conversational, such as remembering prior discussion or asking about knowledge, which can cause the skill to activate in situations the user did not intend. In this skill, unintended activation is more dangerous because activation may lead to local memory retrieval and external LLM queries, increasing the risk of oversharing prior conversation content.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The markdown states that user questions are handled by MiniMax for answer generation and provides API host and key configuration, but it does not clearly warn that user queries and retrieved knowledge may be transmitted to an external service. In a RAG skill that searches memory-like content, this can leak sensitive prior conversation data or locally stored knowledge to a third-party API without informed user consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script installs `jieba` via a shell command without a strong explicit warning or consent flow. Silent dependency installation can surprise operators, modify the environment, and execute third-party package code in contexts where outbound access or package installation should be tightly controlled.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code builds a prompt from retrieved knowledge and the user's query, then sends it to an external LLM endpoint without any explicit privacy warning or opt-in. Because this skill is triggered for memory/knowledge retrieval, the transmitted context may contain sensitive prior information, making off-host disclosure especially risky.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script silently performs a package installation after only printing a status line, without prior informed consent. This is a risky behavior because it modifies the environment and runs code from packages outside the intended local retrieval scope.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The ask command sends both the user's query and retrieved local knowledge entries to an external LLM service, but the user is not warned that local stored content will be transmitted off-box. In a memory or knowledge-base skill, that omission materially increases privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script performs shell-based dependency installation without warning users in the module documentation that running it may trigger external downloads and code execution. Lack of upfront disclosure reduces informed consent and makes the behavior more dangerous in restricted or high-trust environments where operators expect local-only processing.

Ssd 1

Medium

Confidence: 92% confidence
Finding: Retrieved knowledge is inserted verbatim into the LLM prompt as trusted reference material. If stored content contains adversarial instructions, prompt injection, or manipulative text, it can influence the model's behavior, causing misleading outputs, policy bypass attempts, or unintentional disclosure in responses.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal