安全决策报告
openviking-context
The skill contains an undocumented curl|bash remote script execution pattern for installing a Rust CLI component, combined with plaintext API key storage and shell RC modifications, creating a significant supply-chain and credential-theft attack surface.
最直接的威胁证据
严重 代码执行
Undeclared curl|bash remote script execution scripts/install.sh line 65 executes 'curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash' without any user prompt or disclosure in SKILL.md. This classic 'curl|bash' pattern allows arbitrary code execution from a remote URL. While the URL points to a legitimate ByteDance (Volcengine) GitHub repository, the pattern is inherently dangerous and completely undeclared in documentation.
scripts/install.sh:65 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 2 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 4 项高危或严重发现。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
攻击链
01
User installs skill and runs install.sh, which optionally triggers curl|bash
初始入口 · scripts/install.sh:65
02
Remote script fetched from GitHub raw URL and executed as root-equivalent user
supply_chain · scripts/install.sh:65
03
API key stored in plaintext in ~/.openviking/ov.conf
权限提升 · scripts/setup-config.sh:85
04
Any local attacker or malware with filesystem read access can steal the API key from ov.conf
最终危害 · ~/.openviking/ov.conf
风险分是怎么被拉高的
Undeclared curl|bash remote execution +25
SKILL.md never mentions that install.sh will pipe curl output into bash for the Rust CLI (ov_cli). This is the highest-risk pattern in the skill.
Plaintext API key storage in config file +20
setup-config.sh writes API keys in cleartext to ~/.openviking/ov.conf. No encryption, no masking, no secrets manager integration.
Supply-chain: unpinned pip install and git URL +15
install.sh uses 'pip install openviking --upgrade --force-reinstall' without version pinning, and cargo install from a git URL.
Undeclared shell RC modification +10
install.sh silently appends OPENVIKING_CONFIG_FILE and OPENVIKING_CLI_CONFIG_FILE exports to ~/.zshrc or ~/.bashrc without clear disclosure.
Sensitive path access (credential storage) +10
Accesses ~/.openviking/ov.conf where API keys are stored in plaintext, creating credential theft surface if directory is compromised.
最关键的证据
严重 代码执行
Undeclared curl|bash remote script execution
scripts/install.sh line 65 executes 'curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash' without any user prompt or disclosure in SKILL.md. This classic 'curl|bash' pattern allows arbitrary code execution from a remote URL. While the URL points to a legitimate ByteDance (Volcengine) GitHub repository, the pattern is inherently dangerous and completely undeclared in documentation.
scripts/install.sh:65 Replace with explicit download + signature verification, or require explicit user opt-in flag (e.g., --install-ov-cli). Document this behavior in SKILL.md.
高危 凭证窃取
Plaintext API key storage with no encryption or masking
scripts/setup-config.sh writes the user's API key in plaintext directly into ~/.openviking/ov.conf under the 'api_key' field. There is no encryption, no use of a secrets manager (keychain, envsecrets), and the key is readable by anyone with filesystem access. Additionally, the default placeholder 'YOUR_API_KEY_HERE' remains in the script as a hardcoded string reference.
scripts/setup-config.sh:85 Use the system keychain (macOS Keychain, Linux secret-service) or environment variable injection instead of writing keys to disk. If file storage is required, encrypt the config file.
高危 供应链
Unpinned pip install with --force-reinstall allows package substitution
scripts/install.sh uses 'pip install openviking --upgrade --force-reinstall' without specifying a version. Combined with --force-reinstall, this means any version of the openviking package (including a maliciously substituted one from a compromised PyPI account or typosquatting) could be installed on every run.
scripts/install.sh:41 Pin to a specific version (e.g., openviking==x.y.z). Use a requirements.txt or pyproject.toml with locked hashes for production use.
高危 供应链
cargo install from git URL without commit hash pinning
scripts/install.sh uses 'cargo install --git https://github.com/volcengine/OpenViking ov_cli' without pinning to a specific commit, tag, or version. This allows a compromised or hijacked Git repository to serve different code than expected.
scripts/install.sh:63 Pin to a specific tag or commit hash: cargo install --git https://github.com/volcengine/OpenViking --ref <tag> ov_cli
中危 文档欺骗
Shell RC modification is completely undeclared in SKILL.md
scripts/install.sh silently appends 'export OPENVIKING_CONFIG_FILE=...' and 'export OPENVIKING_CLI_CONFIG_FILE=...' to ~/.zshrc or ~/.bashrc (lines 101-107). This is a form of persistence mechanism that modifies user shell configuration without explicit disclosure or user consent in the documentation.
scripts/install.sh:96 Document this behavior explicitly in SKILL.md. Consider using a .env file loaded by the venv activation script instead of modifying user shell RC files.
中危 持久化
Server startup commands use nohup with PID tracking, could create orphaned processes
SKILL.md documents starting openviking-server and openviking.console.bootstrap with nohup and >> logfile redirects. No PID file management or systemd/service integration means processes can become orphaned or run indefinitely.
SKILL.md:94 Provide systemd service files or use proper process supervision. Add cleanup/stop instructions in the documentation.
声明能力 vs 实际能力
文件系统 通过
声明 WRITE
→ 推断 WRITE
SKILL.md documents filesystem writes for config and workspace 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/install.sh:65 executes 'curl | bash' from remote URL; not declared in SKILL.md 网络访问 通过
声明 READ
→ 推断 READ
SKILL.md documents remote API calls for model providers 环境变量 阻止
声明 NONE
→ 推断 WRITE
install.sh:101-107 silently modifies ~/.zshrc/~/.bashrc with export statements 技能调用 通过
声明 NONE
→ 推断 NONE
No skill invocation capability found 可疑产物与外联
严重 危险命令
curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash scripts/install.sh:65
高危 API 密钥
API_KEY="YOUR_API_KEY_HERE" scripts/setup-config.sh:85
中危 外部 URL
https://www.openviking.ai README.md:119
中危 外部 URL
https://docs.openclaw.ai/tools/creating-skills README.md:120
中危 外部 URL
https://clawhub.ai README.md:121
中危 外部 URL
http://127.0.0.1:1933 SKILL.md:98
中危 外部 URL
https://docs.litellm.ai/docs/providers SKILL.md:237
中危 外部 URL
https://build.nvidia.com/ SKILL.md:238
中危 外部 URL
https://ark.cn-beijing.volces.com/api/v3 scripts/setup-config.sh:48
中危 外部 URL
https://integrate.api.nvidia.com/v1 scripts/setup-config.sh:56
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| openviking | * (unpinned) | pip | 否 | No version pinned; --upgrade --force-reinstall allows any version |
| ov_cli | * (unpinned) | cargo/git | 否 | cargo install from git without commit hash pinning |
文件构成
9 个文件 · 1892 行
Python 2 个文件 · 1021 行Shell 3 个文件 · 471 行Markdown 2 个文件 · 359 行JSON 2 个文件 · 41 行
需关注文件 · 5
scripts/demo-token-compare.py SKILL.md Server startup commands use nohup with PID tracking, could create orphaned processes · http://127.0.0.1:1933 · https://docs.litellm.ai/docs/providers · https://build.nvidia.com/
scripts/setup-config.sh Plaintext API key storage with no encryption or masking · API_KEY="YOUR_API_KEY_HERE" · https://ark.cn-beijing.volces.com/api/v3 · https://integrate.api.nvidia.com/v1
scripts/install.sh Undeclared curl|bash remote script execution · Unpinned pip install with --force-reinstall allows package substitution · cargo install from git URL without commit hash pinning · Shell RC modification is completely undeclared in SKILL.md · curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash
README.md https://www.openviking.ai · https://docs.openclaw.ai/tools/creating-skills · https://clawhub.ai
其他文件 · viking.py · install-skill.sh · clawhub.json · _meta.json
安全亮点
All Python scripts (viking.py, demo-token-compare.py) are readable, well-structured, and perform their documented functions without hidden behavior
No base64-encoded payloads, obfuscated code, or anti-analysis techniques found
No network exfiltration, C2 communication, or credential harvesting loops detected
No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths
No reverse shell, RCE loops, or persistence backdoors found
The skill is for a legitimate open-source project (OpenViking by ByteDance/Volcengine)
API endpoints are to known legitimate providers (OpenAI, Volcengine, NVIDIA, LiteLLM)