Back to plugin

Security audit

OpenViking

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenViking memory plugin that stores and recalls OpenClaw conversation context on a configured OpenViking server, with sensitive but purpose-aligned behavior.

Install only if you trust the configured OpenViking server and want conversation context retained across sessions. Use a scoped user API key, avoid storing secrets or regulated personal data, review autoCapture/autoRecall settings, and enable resource import only when you intentionally want files or URLs indexed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes very broad terms such as "RAG," "semantic memory," and generic setup phrases that could match ordinary conversation and invoke this skill unexpectedly. In this skill's context, unexpected invocation is more dangerous because the workflow proceeds to collect server URLs and API keys and can run installation/configuration commands autonomously.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to collect an API key through ordinary conversation and reuse it in shell commands, but it provides no user-facing warning about credential sensitivity, storage, redaction, or terminal/log exposure. This is dangerous because API keys may be captured in chat history, tool traces, command history, process listings, or logs, increasing the chance of credential disclosure.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill is explicitly designed to persist and recall user facts across sessions and presents that as a default feature without a clear consent/privacy boundary. In this context, the danger is elevated because the stored data may include personal or sensitive information and is sent to an external OpenViking server, potentially creating privacy, retention, and cross-session exposure risks.

Ssd 3

Medium
Confidence
95% confidence
Finding
The success flow encourages the user to test the system by storing a personal email address for later recall, normalizing the storage of personal data as a verification step. This is risky because it prompts unnecessary collection of real personal data when a non-sensitive synthetic test value would be sufficient.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command, suspicious.install_untrusted_source

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
INSTALL-AGENT.md:309
Evidence
rm -rf ~/.openclaw/extensions/openviking/

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
INSTALL-ZH.md:367
Evidence
rm -rf ~/.openclaw/extensions/openviking/

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
INSTALL.md:291
Evidence
rm -rf ~/.openclaw/extensions/openviking/

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
openclaw.plugin.json:82
Evidence
"placeholder": "http://127.0.0.1:1933",