cat-viking-memory Security Report — Suspicious | ClawSafe

45 /100

cat-viking-memory

Viking 记忆系统技能包 - 五级记忆层级自动管理、重要记忆保护、向量相似度提及检测、飞书群聊会话自动保存

Hardcoded private IP address (192.168.5.110) used for Ollama embedding API calls across multiple scripts sends memory content to an undeclared network endpoint, creating potential data exfiltration risk.

Skill Namecat-viking-memory

Duration64.1s

Enginepi

⚠

Use with caution

Document the Ollama network dependency explicitly in SKILL.md. Consider making the Ollama host configurable via environment variables with no default or localhost default. Evaluate whether the private IP 192.168.5.110 is legitimate infrastructure or an unexpected external endpoint.

Attack Chain 3 steps

◎

Entry User installs skill based on documented functionality (memory management)

SKILL.md:1

⬡

Escalation Skill makes HTTP POST requests to hardcoded private IP (192.168.5.110:11434)

memory-pipeline/memory-embed.sh:9

◉

Impact Memory content and session data transmitted to external endpoint via embedding API

simple-viking/lib.sh:142

Findings 4 items

Severity	Finding	Location
Medium	Undeclared network communication to private IP Doc Mismatch SKILL.md declares vector similarity detection but does not document that text content is sent via HTTP POST to http://192.168.5.110:11434/api/embeddings. Memory content and session data could be transmitted to this endpoint. `OLLAMA_HOST="${OLLAMA_HOST:-http://192.168.5.110:11434}"` → Document the Ollama dependency and network requirements explicitly in SKILL.md capabilities section	`memory-pipeline/memory-embed.sh:9`
Medium	Memory content sent to hardcoded private IP endpoint Data Exfil get_embedding() function in multiple scripts sends text content to a hardcoded private IP address. Session summaries, memory files, and conversation content are transmitted. If this endpoint is attacker-controlled, sensitive data could be exfiltrated. `response=$(curl -s -s --max-time 30 "$OLLAMA_HOST/api/embeddings" -d "{\"model\": \"$EMBED_MODEL\", \"prompt\": \"$text\"}")` → Use localhost (127.0.0.1) as default Ollama host, or make it a required configuration parameter with no default	`simple-viking/lib.sh:142`
Low	Implicit shell:WRITE capability not declared Priv Escalation Skill uses bash scripts throughout but SKILL.md does not declare shell execution capability `#!/usr/bin/env bash` → Add shell:WRITE to the capability declaration in SKILL.md	`simple-viking/write.sh:1`
Low	Python dependencies not pinned Supply Chain Scripts rely on python3 but do not specify version requirements. Standard library json/math modules are used, which is safe. `python3 -c "import json, math"` → No action required - only standard library modules used	`multiple`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	simple-viking/write.sh:14 - echo "$content" > "$target_path"
Network	`NONE`	`WRITE`	✗ Violation	memory-pipeline/memory-embed.sh:9, simple-viking/lib.sh:8 - curl requests to OLL…
Shell	`NONE`	`WRITE`	✗ Violation	All scripts in memory-pipeline/ and simple-viking/ are bash scripts executing co…

1 findings

🔗

Medium External URL 外部 URL

http://192.168.5.110:11434

memory-pipeline/memory-embed.sh:9

File Tree

25 files · 111.0 KB · 4217 lines

Shell 16f · 2325L Markdown 7f · 1597L TypeScript 1f · 239L JSON 1f · 56L

├─ ▾ 📁 memory-pipeline

│ ├─ 🔧 memory-auto-save.sh Shell 180L · 5.5 KB

│ ├─ 🔧 memory-embed.sh Shell 229L · 5.3 KB

│ ├─ 🔧 memory-extract-summary.sh Shell 69L · 1.8 KB

│ ├─ 🔧 memory-session-hook.sh Shell 30L · 965 B

│ ├─ 🔧 memory-tier-cron.sh Shell 182L · 5.4 KB

│ ├─ 🔧 memory-tier-downgrade.sh Shell 249L · 8.1 KB

│ ├─ 🔧 memory-tier-gemini.sh Shell 69L · 2.0 KB

│ ├─ 🔧 memory-tools.sh Shell 132L · 3.1 KB

│ ├─ 🔧 mp_mention_detect.sh Shell 333L · 9.0 KB

│ └─ 📝 SKILL.md Markdown 350L · 8.6 KB

├─ ▾ 📁 references

│ ├─ 📝 README.md Markdown 253L · 6.1 KB

│ ├─ 📜 session-manager.ts TypeScript 239L · 6.0 KB

│ └─ 📝 飞书集成说明.md Markdown 112L · 3.1 KB

├─ ▾ 📁 simple-viking

│ ├─ 🔧 extract-memory.sh Shell 128L · 3.8 KB

│ ├─ 🔧 find.sh Shell 62L · 1.2 KB

│ ├─ 🔧 lib.sh Shell 434L · 10.9 KB

│ ├─ 🔧 read.sh Shell 78L · 1.7 KB

│ ├─ 📝 README.md Markdown 145L · 4.2 KB

│ ├─ 📝 SKILL.md Markdown 136L · 3.9 KB

│ ├─ 🔧 sv_autoload.sh Shell 103L · 3.3 KB

│ ├─ 🔧 update-layers.sh Shell 14L · 362 B

│ └─ 🔧 write.sh Shell 33L · 859 B

├─ 🔑 config.json ⚠ JSON 56L · 1.9 KB

├─ 📝 SKILL.md Markdown 119L · 2.9 KB

└─ 📝 使用教程.md Markdown 482L · 11.1 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`python3`	`*`	system	No	Standard library only - json, math, os modules used
`ollama`	`*`	external	No	No version pinning; connects to http://192.168.5.110:11434

Security Positives

✓ No credential harvesting detected - scripts do not iterate through environment variables for sensitive keys

✓ No obfuscation patterns found - no base64 encoding, eval(), or anti-analysis techniques

✓ No reverse shell or C2 infrastructure detected

✓ No persistence mechanisms beyond documented crontab entries

✓ TypeScript session manager uses child_process.exec safely with sanitized inputs

✓ Skill is MIT licensed with clear documentation structure

Scan Report

Attack Chain 3 steps

Findings 4 items

File Tree

Dependencies 2 items

Security Positives