Back to skill

Security audit

OpenViking 上下文数据库

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenViking integration, but it deserves review because setup can run unpinned external code, store API keys locally, and persist or index user-selected content.

Review before installing, especially on a work machine or with private repositories. Use scoped provider API keys, protect ~/.openviking files, avoid importing directories that contain secrets or regulated data, and inspect or replace the optional curl-to-bash CLI install path with a pinned/manual install if you proceed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script downloads and immediately executes a remote shell script using `curl ... | bash`, which gives the remote content full code-execution privileges on the user's machine. In the context of an installer for a context-database skill, this is especially risky because the fetched script is unpinned, unaudited at install time, and could be changed upstream or replaced if the source is compromised.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The wrapper exposes ingestion capabilities beyond the stated browsing/search role by allowing arbitrary local files, directories, and remote URLs to be added into the context database. In an agent setting, this broadens the skill from passive context access to active data acquisition, which can enable unintended exfiltration, indexing of sensitive local content, or ingestion of untrusted remote data without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Accepting arbitrary http/https URLs for import lets the skill fetch and persist remote content on demand, which is risky in agent environments because prompts or tool users could induce retrieval from attacker-controlled locations. This can introduce untrusted content into long-lived memory and may also enable network access that exceeds the expected purpose of a context lookup tool.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The info command reads and prints local configuration details including providers, model names, dimensions, and workspace paths. While not immediately exploitable on its own, exposing environment and filesystem metadata can aid reconnaissance and leak sensitive operational details in contexts where command output is visible to untrusted parties or fed back into an LLM transcript.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README encourages users to import project documents and configure third-party model provider API keys, but it does not warn that indexed or searched content may be transmitted to external services for embedding, inference, or storage. In a context-database skill, users may import sensitive internal repositories, secrets, or proprietary documents, so missing disclosure materially increases the risk of unintended data exfiltration or compliance violations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes generic phrases such as "context database," "token saving," and especially protocol/tool-style terms like "viking://", "memsearch", and "memread" that may match ordinary user requests outside the intended skill scope. Overbroad activation can cause the agent to invoke this skill in unintended contexts, exposing filesystem-like memory operations or steering responses toward this package when the user did not request it.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Executing a remote script via `curl|bash` without a clear advance warning removes the user's opportunity to inspect what will run and hides a highly privileged action behind a routine install flow. Because this skill is framed as a context/memory tool rather than a system bootstrapper, the mismatch can increase trust and make users less likely to scrutinize the command.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script appends exports to `.zshrc` or `.bashrc` without explicit prior consent, permanently modifying the user's login environment. Silent persistence changes can cause unexpected behavior, break shell setups, or be abused to establish lasting influence if the written values are later leveraged by other tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script collects an API key interactively and writes it directly into ~/.openviking/ov.conf in plaintext. Storing long-lived credentials unencrypted on disk increases the risk of credential disclosure through local compromise, backups, accidental sharing, or overly permissive file permissions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool persistently writes session statistics to ~/.openviking/session_stats.json without notifying the user at the time of use or offering opt-in behavior. In an agent context, this creates silent local retention of queries, URIs, and token-usage metadata, which may include sensitive project names or resource identifiers and remain on disk beyond the session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.