Skill Trust Decision
openviking-context
The skill contains an undocumented curl|bash remote script execution pattern for installing a Rust CLI component, combined with plaintext API key storage and shell RC modifications, creating a significant supply-chain and credential-theft attack surface.
Most direct threat evidence
Critical RCE
Undeclared curl|bash remote script execution scripts/install.sh line 65 executes 'curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash' without any user prompt or disclosure in SKILL.md. This classic 'curl|bash' pattern allows arbitrary code execution from a remote URL. While the URL points to a legitimate ByteDance (Volcengine) GitHub repository, the pattern is inherently dangerous and completely undeclared in documentation.
scripts/install.sh:65 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
2 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
2 dependency or supply-chain issues need attention.
Attack Chain
01
User installs skill and runs install.sh, which optionally triggers curl|bash
Entry · scripts/install.sh:65
02
Remote script fetched from GitHub raw URL and executed as root-equivalent user
supply_chain · scripts/install.sh:65
03
API key stored in plaintext in ~/.openviking/ov.conf
Escalation · scripts/setup-config.sh:85
04
Any local attacker or malware with filesystem read access can steal the API key from ov.conf
Impact · ~/.openviking/ov.conf
What drove the risk score up
Undeclared curl|bash remote execution +25
SKILL.md never mentions that install.sh will pipe curl output into bash for the Rust CLI (ov_cli). This is the highest-risk pattern in the skill.
Plaintext API key storage in config file +20
setup-config.sh writes API keys in cleartext to ~/.openviking/ov.conf. No encryption, no masking, no secrets manager integration.
Supply-chain: unpinned pip install and git URL +15
install.sh uses 'pip install openviking --upgrade --force-reinstall' without version pinning, and cargo install from a git URL.
Undeclared shell RC modification +10
install.sh silently appends OPENVIKING_CONFIG_FILE and OPENVIKING_CLI_CONFIG_FILE exports to ~/.zshrc or ~/.bashrc without clear disclosure.
Sensitive path access (credential storage) +10
Accesses ~/.openviking/ov.conf where API keys are stored in plaintext, creating credential theft surface if directory is compromised.
Most important evidence
Critical RCE
Undeclared curl|bash remote script execution
scripts/install.sh line 65 executes 'curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash' without any user prompt or disclosure in SKILL.md. This classic 'curl|bash' pattern allows arbitrary code execution from a remote URL. While the URL points to a legitimate ByteDance (Volcengine) GitHub repository, the pattern is inherently dangerous and completely undeclared in documentation.
scripts/install.sh:65 Replace with explicit download + signature verification, or require explicit user opt-in flag (e.g., --install-ov-cli). Document this behavior in SKILL.md.
High Credential Theft
Plaintext API key storage with no encryption or masking
scripts/setup-config.sh writes the user's API key in plaintext directly into ~/.openviking/ov.conf under the 'api_key' field. There is no encryption, no use of a secrets manager (keychain, envsecrets), and the key is readable by anyone with filesystem access. Additionally, the default placeholder 'YOUR_API_KEY_HERE' remains in the script as a hardcoded string reference.
scripts/setup-config.sh:85 Use the system keychain (macOS Keychain, Linux secret-service) or environment variable injection instead of writing keys to disk. If file storage is required, encrypt the config file.
High Supply Chain
Unpinned pip install with --force-reinstall allows package substitution
scripts/install.sh uses 'pip install openviking --upgrade --force-reinstall' without specifying a version. Combined with --force-reinstall, this means any version of the openviking package (including a maliciously substituted one from a compromised PyPI account or typosquatting) could be installed on every run.
scripts/install.sh:41 Pin to a specific version (e.g., openviking==x.y.z). Use a requirements.txt or pyproject.toml with locked hashes for production use.
High Supply Chain
cargo install from git URL without commit hash pinning
scripts/install.sh uses 'cargo install --git https://github.com/volcengine/OpenViking ov_cli' without pinning to a specific commit, tag, or version. This allows a compromised or hijacked Git repository to serve different code than expected.
scripts/install.sh:63 Pin to a specific tag or commit hash: cargo install --git https://github.com/volcengine/OpenViking --ref <tag> ov_cli
Medium Doc Mismatch
Shell RC modification is completely undeclared in SKILL.md
scripts/install.sh silently appends 'export OPENVIKING_CONFIG_FILE=...' and 'export OPENVIKING_CLI_CONFIG_FILE=...' to ~/.zshrc or ~/.bashrc (lines 101-107). This is a form of persistence mechanism that modifies user shell configuration without explicit disclosure or user consent in the documentation.
scripts/install.sh:96 Document this behavior explicitly in SKILL.md. Consider using a .env file loaded by the venv activation script instead of modifying user shell RC files.
Medium Persistence
Server startup commands use nohup with PID tracking, could create orphaned processes
SKILL.md documents starting openviking-server and openviking.console.bootstrap with nohup and >> logfile redirects. No PID file management or systemd/service integration means processes can become orphaned or run indefinitely.
SKILL.md:94 Provide systemd service files or use proper process supervision. Add cleanup/stop instructions in the documentation.
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md documents filesystem writes for config and workspace Shell Block
Declared NONE
→ Inferred WRITE
scripts/install.sh:65 executes 'curl | bash' from remote URL; not declared in SKILL.md Network Pass
Declared READ
→ Inferred READ
SKILL.md documents remote API calls for model providers Environment Block
Declared NONE
→ Inferred WRITE
install.sh:101-107 silently modifies ~/.zshrc/~/.bashrc with export statements Skill Invoke Pass
Declared NONE
→ Inferred NONE
No skill invocation capability found Suspicious artifacts and egress
Critical Dangerous Command
curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash scripts/install.sh:65
High API Key
API_KEY="YOUR_API_KEY_HERE" scripts/setup-config.sh:85
Medium External URL
https://www.openviking.ai README.md:119
Medium External URL
https://docs.openclaw.ai/tools/creating-skills README.md:120
Medium External URL
https://clawhub.ai README.md:121
Medium External URL
http://127.0.0.1:1933 SKILL.md:98
Medium External URL
https://docs.litellm.ai/docs/providers SKILL.md:237
Medium External URL
https://build.nvidia.com/ SKILL.md:238
Medium External URL
https://ark.cn-beijing.volces.com/api/v3 scripts/setup-config.sh:48
Medium External URL
https://integrate.api.nvidia.com/v1 scripts/setup-config.sh:56
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| openviking | * (unpinned) | pip | No | No version pinned; --upgrade --force-reinstall allows any version |
| ov_cli | * (unpinned) | cargo/git | No | cargo install from git without commit hash pinning |
File composition
9 files · 1892 lines
Python 2 files · 1021 linesShell 3 files · 471 linesMarkdown 2 files · 359 linesJSON 2 files · 41 lines
Files of concern · 5
scripts/demo-token-compare.py SKILL.md Server startup commands use nohup with PID tracking, could create orphaned processes · http://127.0.0.1:1933 · https://docs.litellm.ai/docs/providers · https://build.nvidia.com/
scripts/setup-config.sh Plaintext API key storage with no encryption or masking · API_KEY="YOUR_API_KEY_HERE" · https://ark.cn-beijing.volces.com/api/v3 · https://integrate.api.nvidia.com/v1
scripts/install.sh Undeclared curl|bash remote script execution · Unpinned pip install with --force-reinstall allows package substitution · cargo install from git URL without commit hash pinning · Shell RC modification is completely undeclared in SKILL.md · curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash
README.md https://www.openviking.ai · https://docs.openclaw.ai/tools/creating-skills · https://clawhub.ai
Other files · viking.py · install-skill.sh · clawhub.json · _meta.json
Security positives
All Python scripts (viking.py, demo-token-compare.py) are readable, well-structured, and perform their documented functions without hidden behavior
No base64-encoded payloads, obfuscated code, or anti-analysis techniques found
No network exfiltration, C2 communication, or credential harvesting loops detected
No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths
No reverse shell, RCE loops, or persistence backdoors found
The skill is for a legitimate open-source project (OpenViking by ByteDance/Volcengine)
API endpoints are to known legitimate providers (OpenAI, Volcengine, NVIDIA, LiteLLM)