OpenViking

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate OpenViking memory plugin, but it automatically sends and stores conversation and tool-result data on a configured remote server with some under-disclosed privacy and deletion risks.

Install only if you are comfortable sending OpenClaw conversations, assistant messages, and some tool-result data to your configured OpenViking server for retention and later recall. Prefer environment variables or interactive setup for API keys, avoid pasting secrets into chat or command history, disable autoCapture/autoRecall for sensitive sessions, configure bypassSessionPatterns where needed, and review deletion/resource-import actions before allowing an agent to run them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (26)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide includes recursive deletion commands against user directories without an explicit warning, confirmation step, backup guidance, or validation that the path is correct. In an agent-executable install guide, this increases the risk of unintended data loss if an automated system follows the instructions blindly or if path expansion behaves unexpectedly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The install guide repeatedly shows commands that pass API keys directly as CLI arguments, which can leak secrets via shell history, process listings, audit logs, CI job logs, and terminal scrollback. In an agent-assisted or automated setup context, this is more dangerous because the commands are likely to be copied verbatim into scripts or orchestration systems where command lines are recorded.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly instructs users to place an API key directly into an agent prompt while the same document explains that user/assistant turns are archived to a remote OpenViking server every turn. That creates a realistic credential-exposure path via chat history, session archives, long-term memory extraction, logs, or downstream tooling, even if the plugin itself says it does not intentionally log the key.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This code sends user-derived query text to external memory search endpoints via multiple client.find calls, but there is no evidence in this file of user consent, disclosure, or gating for potentially sensitive prompt content. Even though the text is sanitized and truncated, sanitization does not prevent private or confidential user data from being transmitted to an external service, creating a real privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This code uploads newly extracted session messages, including user and assistant content and tool outputs, to the external OpenViking service automatically during `afterTurn`. Because the upload happens implicitly and the code only strips one specific memory tag pattern, sensitive prompts, personal data, secrets, or tool-returned credentials could be persisted or transmitted off-process without a local consent gate at the upload point.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code automatically commits and archives a session to the external service once `pendingTokens` crosses `commitTokenThreshold`, without any user-visible confirmation or sensitivity check. That increases retention and exposure of conversation data, and can preserve sensitive material longer than expected, especially in an agent context where tool outputs may contain private or high-value information.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This code automatically searches user/agent/resource memories and may read full stored content for level-2 memories, then injects that content into model context without any user-facing notice or consent check in this file. That creates a privacy and prompt-injection risk because sensitive or adversarial stored memory content can be surfaced to the model implicitly whenever auto-recall is enabled.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: addResource accepts arbitrary remote sources including http(s), git, ssh, and git@ URIs and forwards them to the backend without any validation or restriction. If untrusted input reaches this method, it can cause the remote service to fetch attacker-controlled endpoints, creating SSRF-style exposure, unexpected network access, or ingestion of malicious repositories/content.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code logs assembled session content previews, including message roles and the first 100 characters of each message. Conversation history can contain credentials, personal data, prompts, or tool output, so writing it to logs creates a secondary exposure channel that is often retained, aggregated, and accessible beyond the original conversation boundary.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The compact path logs the full getSessionContext result and additional restored message summaries, which can expose entire archived session context, summaries, and message previews. Because this code handles memory/session compaction, the logged material is especially likely to include long-lived sensitive user history, making log compromise or over-broad operator access materially dangerous.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The memory_forget tool can permanently delete a memory based solely on a query when exactly one candidate remains and its score is at least 0.85, without any explicit confirmation step. Because search/ranking is heuristic and user or model prompts may be ambiguous, this creates a real risk of unintended destructive actions and irreversible loss of stored data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code converts tool results into user-role messages and includes both toolOutput and associated toolInput in extracted conversation data without any explicit redaction, minimization, or disclosure boundary. Tool inputs/outputs often contain sensitive data from connectors, APIs, or background tools, so surfacing them as ordinary conversational content can unintentionally expose secrets or private data to downstream memory, logging, or model-processing paths.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The legacy extractor serializes raw toolInput with JSON.stringify and emits it directly into flat text output, which can leak structured secrets, tokens, personal data, or internal parameters into logs, prompts, or memory stores. Because this is a backward-compatible wrapper, the risk is amplified by older call sites continuing to consume the unsafe text format implicitly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The memory_forget tool can permanently delete memories immediately when given an exact URI, and it can also auto-delete a searched match when only one high-scoring candidate is found. There is no explicit confirmation, capability check, or user-facing warning in this code path, so an agent or prompt-induced tool call could cause irreversible data loss from long-term memory.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The manifest enables automatic capture of recent conversation content and automatic recall/injection of stored memories into agent context, but the user-facing descriptions do not clearly warn that potentially sensitive conversation data may be collected, stored remotely, and later reintroduced into prompts. In a memory-management context engine with startup activation and broad tool access, this increases the risk of unintentional privacy exposure, data retention surprises, and cross-context disclosure if operators enable these features without understanding their implications.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases include broad terms like 'RAG', 'semantic memory', and generic installation/setup language that can match ordinary conversation unrelated to this plugin. That can cause the agent to invoke a high-impact install/configuration workflow unexpectedly, leading to unauthorized plugin changes, credential prompts, or privacy-affecting configuration in the wrong context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill collects API keys and then passes them on command lines and into persisted configuration without a clear warning about exposure, storage location, or retention. Secrets in CLI arguments can leak via process listings, logs, shell history, transcripts, or config files, making credential compromise plausible.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises automatic cross-session capture and recall of chat content but does not front-load a clear privacy notice or affirmative consent step proportional to the sensitivity of the data being retained. This can lead users to disclose sensitive information without understanding that it will be archived and later retrieved across sessions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: `extractNewTurnMessages` converts `toolResult` messages into user-role payloads and includes both `toolOutput` and recovered `toolInput` objects without redaction. If tools handle secrets, tokens, personal data, file contents, or internal system results, this code can propagate sensitive information into downstream memory/extraction pipelines, increasing the chance of inadvertent retention or secondary disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The legacy formatter serializes full `toolInput` objects with `JSON.stringify` and emits tool outputs as plain text records. In a skill that appears designed for capture/memory extraction, this creates a realistic risk that sensitive tool parameters or results are logged, embedded in prompts, deduplicated, stored, or surfaced to other components that were only expected to process conversational text.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill is designed to retain and later recall user facts across sessions, and it explicitly frames this as automatic behavior during normal conversation. In the absence of strong consent, minimization, and data-class restrictions, this creates a real privacy and data-handling risk because sensitive personal information may be stored and resurfaced unexpectedly.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The verification flow encourages the user to persist and retrieve an email address as a test, normalizing storage of personal data in long-term memory. Using real personal identifiers in a demo path increases the chance of unnecessary collection, retention, and later disclosure of sensitive information.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: Same plugin ID (openviking, >= 0.3.x): ```bash rm -rf ~/.openclaw/extensions/openviking/ openclaw plugins install clawhub:@openviking/openclaw-plugin openclaw openviking setup --reconfigure openclaw gateway restart
Confidence: 96% confidence
Finding: rm -rf ~

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ```bash openclaw plugins uninstall memory-openviking 2>/dev/null || true openclaw config set plugins.slots.memory none rm -rf ~/.openclaw/extensions/memory-openviking/ openclaw plugins install clawhub:@openviking/openclaw-plugin openclaw openviking setup --base-url <OPENVIKING_URL> --api-key <API_KEY> --json openclaw gateway restart
Confidence: 96% confidence
Finding: rm -rf ~

Tool Parameter Abuse

High

Category: Tool Misuse
Content: Same plugin ID (openviking, >= 0.3.x): ```bash rm -rf ~/.openclaw/extensions/openviking/ openclaw plugins install clawhub:@openviking/openclaw-plugin openclaw openviking setup --reconfigure openclaw gateway restart
Confidence: 96% confidence
Finding: rm -rf ~/.openclaw/extensions/openviking/

VirusTotal

66/66 vendors flagged this plugin as clean.

View on VirusTotal