v0.0.1

Viking Memory System Ultra 2

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:36 AM.

Analysis

This memory skill is mostly aligned with its purpose, but it embeds third-party API keys, sends stored memories to external LLM services, and contains unsafe code construction that could let crafted memory text run code.

GuidanceInstall only if you are comfortable with your memory files being persisted locally and potentially sent to MiniMax/NVIDIA-style external LLM endpoints. Before using it with sensitive data, remove hardcoded API keys, require your own declared credentials, restrict file writes to a dedicated workspace, disable or confirm shared-memory syncing, and patch the python3 -c interpolation in the promotion script.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/sv_promote.sh

local prompt=$(python3 -c "... context = '''${context}'''[:1000]\nmemory = '''${memory_content}'''[:4000] ...")

The promotion script interpolates context and memory file contents directly into Python source passed to python3 -c instead of passing them as data. Crafted memory text containing Python string delimiters could alter the generated Python code.

User impactA malicious or corrupted memory entry could execute code under the user's account when semantic promotion is run.

RecommendationPass memory and context through stdin, files, environment variables, or JSON arguments; never concatenate untrusted memory text into executable Python source.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

scripts/sv_write.sh

else
    FULL_PATH="$PATH_ARG"
    REL_PATH="$PATH_ARG"
fi
...
cat > "$FULL_PATH" <<-FRONTMATTER

For non-viking paths, the script accepts the provided path and writes directly to it. The intended workspace boundary is not clearly enforced for this branch.

User impactIf the agent or user supplies an unsafe path, the script can overwrite arbitrary files writable by the current user instead of staying inside the memory workspace.

RecommendationInitialize and enforce a single workspace root for all writes, reject absolute/out-of-workspace paths by default, and avoid overwriting existing files without explicit confirmation.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

scripts/sv_write_v2.sh

--hot)
    AUTO_HOT=true
    SYNC_TO_SHARED=true
...
SHARED_DIR="$VIKING_GLOBAL/shared/memory/$LAYER"
...
cp "$FULL_PATH" "$SHARED_PATH"

The v2 write script automatically copies hot/important memories into a global shared memory directory.

User impactA memory intended for one workspace may be propagated into shared storage and later reused by other contexts or agents.

RecommendationMake shared-memory publishing a separate explicit action with destination preview, confirmation, retention rules, and clear documentation.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/llm_interface.sh

MINIMAX_API_KEY="sk-cp-..."
MINIMAX_BASE_URL="https://api.minimaxi.com/anthropic/v1/messages"

The script embeds a provider API key directly in the skill while the registry metadata declares no primary credential.

User impactLLM calls may run under an embedded third-party credential that the user cannot scope, rotate, audit, or knowingly approve.

RecommendationRemove hardcoded keys and require user-supplied credentials through declared environment variables or a secrets mechanism, with provider and scope documentation.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityHighConfidenceHighStatusConcern

scripts/llm_interface.sh

local content=$(cat "$file") ... local prompt="...记忆内容：${safe_content}" ... curl -s --max-time 30 "$MINIMAX_BASE_URL" -H "x-api-key: $MINIMAX_API_KEY"

Memory file contents are read, placed into an LLM prompt, and sent to an external provider endpoint.

User impactPrivate stored memories can leave the local machine during compression, recall, or semantic enhancement without a clear top-level opt-in.

RecommendationDocument every external provider call, require explicit opt-in before sending memory content, support offline/local operation, and allow users to configure their own provider credentials.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/sv_autoload.sh

SEARCH_DIR="$WORKSPACE/agent/memories" ... find "$SEARCH_DIR" -name "*.md" ... echo "$CONTENT" ... sed -i "s/^access_count:.*/access_count: $NEW_COUNT/" "$FILE"

Autoload searches persistent memory files, prints snippets into the session context, and updates metadata such as access counts.

User impactStored memories can influence future sessions and may be changed automatically as they are loaded.

RecommendationUse this only with trusted memory directories, review memories periodically, and add controls for exclusions, retention, and provenance.