openviking-context Security Report — High Risk | ClawSafe

65 /100

openviking-context

OpenViking layered context database for AI agents — L0/L1/L2 semantic search and memory management

The skill contains an undocumented curl|bash remote script execution pattern for installing a Rust CLI component, combined with plaintext API key storage and shell RC modifications, creating a significant supply-chain and credential-theft attack surface.

Skill Nameopenviking-context

Duration64.2s

Enginepi

⛔

Do not install this skill

Remove the curl|bash pattern from install.sh (replace with explicit binary download/verification or documented user opt-in); encrypt or use a secrets manager for API key storage; add clear documentation of all shell operations and file writes in SKILL.md.

Attack Chain 4 steps

◎

Entry User installs skill and runs install.sh, which optionally triggers curl|bash

scripts/install.sh:65

⬡

Escalation Remote script fetched from GitHub raw URL and executed as root-equivalent user

scripts/install.sh:65

⬡

Escalation API key stored in plaintext in ~/.openviking/ov.conf

scripts/setup-config.sh:85

◉

Impact Any local attacker or malware with filesystem read access can steal the API key from ov.conf

~/.openviking/ov.conf

Findings 6 items

Severity	Finding	Location
Critical	Undeclared curl\|bash remote script execution RCE scripts/install.sh line 65 executes 'curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh \| bash' without any user prompt or disclosure in SKILL.md. This classic 'curl\|bash' pattern allows arbitrary code execution from a remote URL. While the URL points to a legitimate ByteDance (Volcengine) GitHub repository, the pattern is inherently dangerous and completely undeclared in documentation. `curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh \| bash` → Replace with explicit download + signature verification, or require explicit user opt-in flag (e.g., --install-ov-cli). Document this behavior in SKILL.md.	`scripts/install.sh:65`
High	Plaintext API key storage with no encryption or masking Credential Theft scripts/setup-config.sh writes the user's API key in plaintext directly into ~/.openviking/ov.conf under the 'api_key' field. There is no encryption, no use of a secrets manager (keychain, envsecrets), and the key is readable by anyone with filesystem access. Additionally, the default placeholder 'YOUR_API_KEY_HERE' remains in the script as a hardcoded string reference. `API_KEY="YOUR_API_KEY_HERE"` → Use the system keychain (macOS Keychain, Linux secret-service) or environment variable injection instead of writing keys to disk. If file storage is required, encrypt the config file.	`scripts/setup-config.sh:85`
High	Unpinned pip install with --force-reinstall allows package substitution Supply Chain scripts/install.sh uses 'pip install openviking --upgrade --force-reinstall' without specifying a version. Combined with --force-reinstall, this means any version of the openviking package (including a maliciously substituted one from a compromised PyPI account or typosquatting) could be installed on every run. `$VENV_PIP install openviking --upgrade --force-reinstall` → Pin to a specific version (e.g., openviking==x.y.z). Use a requirements.txt or pyproject.toml with locked hashes for production use.	`scripts/install.sh:41`
High	cargo install from git URL without commit hash pinning Supply Chain scripts/install.sh uses 'cargo install --git https://github.com/volcengine/OpenViking ov_cli' without pinning to a specific commit, tag, or version. This allows a compromised or hijacked Git repository to serve different code than expected. `cargo install --git https://github.com/volcengine/OpenViking ov_cli` → Pin to a specific tag or commit hash: cargo install --git https://github.com/volcengine/OpenViking --ref <tag> ov_cli	`scripts/install.sh:63`
Medium	Shell RC modification is completely undeclared in SKILL.md Doc Mismatch scripts/install.sh silently appends 'export OPENVIKING_CONFIG_FILE=...' and 'export OPENVIKING_CLI_CONFIG_FILE=...' to ~/.zshrc or ~/.bashrc (lines 101-107). This is a form of persistence mechanism that modifies user shell configuration without explicit disclosure or user consent in the documentation. `} >> "$SHELL_RC"` → Document this behavior explicitly in SKILL.md. Consider using a .env file loaded by the venv activation script instead of modifying user shell RC files.	`scripts/install.sh:96`
Medium	Server startup commands use nohup with PID tracking, could create orphaned processes Persistence SKILL.md documents starting openviking-server and openviking.console.bootstrap with nohup and >> logfile redirects. No PID file management or systemd/service integration means processes can become orphaned or run indefinitely. `nohup ~/.openviking/venv/bin/openviking-server > ~/.openviking/server.log 2>&1 &` → Provide systemd service files or use proper process supervision. Add cleanup/stop instructions in the documentation.	`SKILL.md:94`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md documents filesystem writes for config and workspace
Shell	`NONE`	`WRITE`	✗ Violation	scripts/install.sh:65 executes 'curl \| bash' from remote URL; not declared in SK…
Network	`READ`	`READ`	✓ Aligned	SKILL.md documents remote API calls for model providers
Environment	`NONE`	`WRITE`	✗ Violation	install.sh:101-107 silently modifies ~/.zshrc/~/.bashrc with export statements
Skill Invoke	`NONE`	`NONE`	—	No skill invocation capability found

1 Critical 1 High 10 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash

scripts/install.sh:65

🔑

High API Key 疑似硬编码凭证

API_KEY="YOUR_API_KEY_HERE"

scripts/setup-config.sh:85

🔗

Medium External URL 外部 URL

https://www.openviking.ai

README.md:119

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/tools/creating-skills

README.md:120

🔗

Medium External URL 外部 URL

https://clawhub.ai

README.md:121

🔗

Medium External URL 外部 URL

http://127.0.0.1:1933

SKILL.md:98

🔗

Medium External URL 外部 URL

https://docs.litellm.ai/docs/providers

SKILL.md:237

🔗

Medium External URL 外部 URL

https://build.nvidia.com/

SKILL.md:238

🔗

Medium External URL 外部 URL

https://ark.cn-beijing.volces.com/api/v3

scripts/setup-config.sh:48

🔗

Medium External URL 外部 URL

https://integrate.api.nvidia.com/v1

scripts/setup-config.sh:56

File Tree

9 files · 62.2 KB · 1892 lines

Python 2f · 1021L Shell 3f · 471L Markdown 2f · 359L JSON 2f · 41L

├─ ▾ 📁 scripts

│ ├─ 🔑 demo-token-compare.py ⚠ Python 562L · 17.1 KB

│ ├─ 🔧 install-skill.sh Shell 154L · 5.2 KB

│ ├─ 🔧 install.sh Shell 131L · 4.5 KB

│ ├─ 🔧 setup-config.sh Shell 186L · 5.6 KB

│ └─ 🐍 viking.py Python 459L · 15.5 KB

├─ 📋 _meta.json JSON 5L · 141 B

├─ 📋 clawhub.json JSON 36L · 1.1 KB

├─ 📝 README.md Markdown 121L · 3.5 KB

└─ 📝 SKILL.md Markdown 238L · 9.5 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`openviking`	`* (unpinned)`	pip	No	No version pinned; --upgrade --force-reinstall allows any version
`ov_cli`	`* (unpinned)`	cargo/git	No	cargo install from git without commit hash pinning

Security Positives

✓ All Python scripts (viking.py, demo-token-compare.py) are readable, well-structured, and perform their documented functions without hidden behavior

✓ No base64-encoded payloads, obfuscated code, or anti-analysis techniques found

✓ No network exfiltration, C2 communication, or credential harvesting loops detected

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths

✓ No reverse shell, RCE loops, or persistence backdoors found

✓ The skill is for a legitimate open-source project (OpenViking by ByteDance/Volcengine)

✓ API endpoints are to known legitimate providers (OpenAI, Volcengine, NVIDIA, LiteLLM)

Scan Report

Attack Chain 4 steps

Findings 6 items

File Tree

Dependencies 2 items

Security Positives