openviking-context 安全扫描报告 — 高风险 | ClawSafe

65 /100

openviking-context

OpenViking layered context database for AI agents — L0/L1/L2 semantic search and memory management

The skill contains an undocumented curl|bash remote script execution pattern for installing a Rust CLI component, combined with plaintext API key storage and shell RC modifications, creating a significant supply-chain and credential-theft attack surface.

技能名称openviking-context

分析耗时64.2s

引擎pi

⛔

不要安装此技能

Remove the curl|bash pattern from install.sh (replace with explicit binary download/verification or documented user opt-in); encrypt or use a secrets manager for API key storage; add clear documentation of all shell operations and file writes in SKILL.md.

攻击链 4 步

◎

入口 User installs skill and runs install.sh, which optionally triggers curl|bash

scripts/install.sh:65

⬡

提权 Remote script fetched from GitHub raw URL and executed as root-equivalent user

scripts/install.sh:65

⬡

提权 API key stored in plaintext in ~/.openviking/ov.conf

scripts/setup-config.sh:85

◉

影响 Any local attacker or malware with filesystem read access can steal the API key from ov.conf

~/.openviking/ov.conf

安全发现 6 项

严重性	安全发现	位置
严重	Undeclared curl\|bash remote script execution 代码执行 scripts/install.sh line 65 executes 'curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh \| bash' without any user prompt or disclosure in SKILL.md. This classic 'curl\|bash' pattern allows arbitrary code execution from a remote URL. While the URL points to a legitimate ByteDance (Volcengine) GitHub repository, the pattern is inherently dangerous and completely undeclared in documentation. `curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh \| bash` → Replace with explicit download + signature verification, or require explicit user opt-in flag (e.g., --install-ov-cli). Document this behavior in SKILL.md.	`scripts/install.sh:65`
高危	Plaintext API key storage with no encryption or masking 凭证窃取 scripts/setup-config.sh writes the user's API key in plaintext directly into ~/.openviking/ov.conf under the 'api_key' field. There is no encryption, no use of a secrets manager (keychain, envsecrets), and the key is readable by anyone with filesystem access. Additionally, the default placeholder 'YOUR_API_KEY_HERE' remains in the script as a hardcoded string reference. `API_KEY="YOUR_API_KEY_HERE"` → Use the system keychain (macOS Keychain, Linux secret-service) or environment variable injection instead of writing keys to disk. If file storage is required, encrypt the config file.	`scripts/setup-config.sh:85`
高危	Unpinned pip install with --force-reinstall allows package substitution 供应链 scripts/install.sh uses 'pip install openviking --upgrade --force-reinstall' without specifying a version. Combined with --force-reinstall, this means any version of the openviking package (including a maliciously substituted one from a compromised PyPI account or typosquatting) could be installed on every run. `$VENV_PIP install openviking --upgrade --force-reinstall` → Pin to a specific version (e.g., openviking==x.y.z). Use a requirements.txt or pyproject.toml with locked hashes for production use.	`scripts/install.sh:41`
高危	cargo install from git URL without commit hash pinning 供应链 scripts/install.sh uses 'cargo install --git https://github.com/volcengine/OpenViking ov_cli' without pinning to a specific commit, tag, or version. This allows a compromised or hijacked Git repository to serve different code than expected. `cargo install --git https://github.com/volcengine/OpenViking ov_cli` → Pin to a specific tag or commit hash: cargo install --git https://github.com/volcengine/OpenViking --ref <tag> ov_cli	`scripts/install.sh:63`
中危	Shell RC modification is completely undeclared in SKILL.md 文档欺骗 scripts/install.sh silently appends 'export OPENVIKING_CONFIG_FILE=...' and 'export OPENVIKING_CLI_CONFIG_FILE=...' to ~/.zshrc or ~/.bashrc (lines 101-107). This is a form of persistence mechanism that modifies user shell configuration without explicit disclosure or user consent in the documentation. `} >> "$SHELL_RC"` → Document this behavior explicitly in SKILL.md. Consider using a .env file loaded by the venv activation script instead of modifying user shell RC files.	`scripts/install.sh:96`
中危	Server startup commands use nohup with PID tracking, could create orphaned processes 持久化 SKILL.md documents starting openviking-server and openviking.console.bootstrap with nohup and >> logfile redirects. No PID file management or systemd/service integration means processes can become orphaned or run indefinitely. `nohup ~/.openviking/venv/bin/openviking-server > ~/.openviking/server.log 2>&1 &` → Provide systemd service files or use proper process supervision. Add cleanup/stop instructions in the documentation.	`SKILL.md:94`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md documents filesystem writes for config and workspace
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/install.sh:65 executes 'curl \| bash' from remote URL; not declared in SK…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md documents remote API calls for model providers
环境变量	`NONE`	`WRITE`	✗ 越权	install.sh:101-107 silently modifies ~/.zshrc/~/.bashrc with export statements
技能调用	`NONE`	`NONE`	—	No skill invocation capability found

1 严重 1 高危 10 项发现

💀

严重危险命令危险 Shell 命令

curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash

scripts/install.sh:65

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="YOUR_API_KEY_HERE"

scripts/setup-config.sh:85

🔗

中危外部 URL 外部 URL

https://www.openviking.ai

README.md:119

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/tools/creating-skills

README.md:120

🔗

中危外部 URL 外部 URL

https://clawhub.ai

README.md:121

🔗

中危外部 URL 外部 URL

http://127.0.0.1:1933

SKILL.md:98

🔗

中危外部 URL 外部 URL

https://docs.litellm.ai/docs/providers

SKILL.md:237

🔗

中危外部 URL 外部 URL

https://build.nvidia.com/

SKILL.md:238

🔗

中危外部 URL 外部 URL

https://ark.cn-beijing.volces.com/api/v3

scripts/setup-config.sh:48

🔗

中危外部 URL 外部 URL

https://integrate.api.nvidia.com/v1

scripts/setup-config.sh:56

目录结构

9 文件 · 62.2 KB · 1892 行

Python 2f · 1021L Shell 3f · 471L Markdown 2f · 359L JSON 2f · 41L

├─ ▾ 📁 scripts

│ ├─ 🔑 demo-token-compare.py ⚠ Python 562L · 17.1 KB

│ ├─ 🔧 install-skill.sh Shell 154L · 5.2 KB

│ ├─ 🔧 install.sh Shell 131L · 4.5 KB

│ ├─ 🔧 setup-config.sh Shell 186L · 5.6 KB

│ └─ 🐍 viking.py Python 459L · 15.5 KB

├─ 📋 _meta.json JSON 5L · 141 B

├─ 📋 clawhub.json JSON 36L · 1.1 KB

├─ 📝 README.md Markdown 121L · 3.5 KB

└─ 📝 SKILL.md Markdown 238L · 9.5 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`openviking`	`* (unpinned)`	pip	否	No version pinned; --upgrade --force-reinstall allows any version
`ov_cli`	`* (unpinned)`	cargo/git	否	cargo install from git without commit hash pinning

安全亮点

✓ All Python scripts (viking.py, demo-token-compare.py) are readable, well-structured, and perform their documented functions without hidden behavior

✓ No base64-encoded payloads, obfuscated code, or anti-analysis techniques found

✓ No network exfiltration, C2 communication, or credential harvesting loops detected

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths

✓ No reverse shell, RCE loops, or persistence backdoors found

✓ The skill is for a legitimate open-source project (OpenViking by ByteDance/Volcengine)

✓ API endpoints are to known legitimate providers (OpenAI, Volcengine, NVIDIA, LiteLLM)