Skill Trust Decision
cat-viking-memory
Hardcoded private IP address (192.168.5.110) used for Ollama embedding API calls across multiple scripts sends memory content to an undeclared network endpoint, creating potential data exfiltration risk.
Most direct threat evidence
01
User installs skill based on documented functionality (memory management) Entry · SKILL.md
02
Skill makes HTTP POST requests to hardcoded private IP (192.168.5.110:11434) Escalation · memory-pipeline/memory-embed.sh
03
Memory content and session data transmitted to external endpoint via embedding API Impact · simple-viking/lib.sh
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 0 severe findings.
Review
Dependencies and supply chain hygiene
2 dependency or supply-chain issues need attention.
Attack Chain
01
User installs skill based on documented functionality (memory management)
Entry · SKILL.md:1
02
Skill makes HTTP POST requests to hardcoded private IP (192.168.5.110:11434)
Escalation · memory-pipeline/memory-embed.sh:9
03
Memory content and session data transmitted to external endpoint via embedding API
Impact · simple-viking/lib.sh:142
What drove the risk score up
Undeclared network behavior +20
SKILL.md does not mention HTTP requests to external/private Ollama endpoint; text content (memories, sessions) is sent to this service
Hardcoded private IP address +15
Multiple scripts hardcode OLLAMA_HOST=http://192.168.5.110:11434 across memory-embed.sh, lib.sh, mp_mention_detect.sh - unusual to use private IP instead of localhost
Shell execution not declared +5
Skill uses extensive bash scripts but SKILL.md does not explicitly declare shell:WRITE capability
Filesystem WRITE not declared +5
write.sh performs file writes; filesystem:WRITE capability implied but not documented
Most important evidence
Medium Doc Mismatch
Undeclared network communication to private IP
SKILL.md declares vector similarity detection but does not document that text content is sent via HTTP POST to http://192.168.5.110:11434/api/embeddings. Memory content and session data could be transmitted to this endpoint.
memory-pipeline/memory-embed.sh:9 Document the Ollama dependency and network requirements explicitly in SKILL.md capabilities section
Medium Data Exfil
Memory content sent to hardcoded private IP endpoint
get_embedding() function in multiple scripts sends text content to a hardcoded private IP address. Session summaries, memory files, and conversation content are transmitted. If this endpoint is attacker-controlled, sensitive data could be exfiltrated.
simple-viking/lib.sh:142 Use localhost (127.0.0.1) as default Ollama host, or make it a required configuration parameter with no default
Low Priv Escalation
Implicit shell:WRITE capability not declared
Skill uses bash scripts throughout but SKILL.md does not declare shell execution capability
simple-viking/write.sh:1 Add shell:WRITE to the capability declaration in SKILL.md
Low Supply Chain
Python dependencies not pinned
Scripts rely on python3 but do not specify version requirements. Standard library json/math modules are used, which is safe.
multiple No action required - only standard library modules used
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
simple-viking/write.sh:14 - echo "$content" > "$target_path" Network Block
Declared NONE
→ Inferred WRITE
memory-pipeline/memory-embed.sh:9, simple-viking/lib.sh:8 - curl requests to OLLAMA_HOST (http://192.168.5.110:11434) Shell Block
Declared NONE
→ Inferred WRITE
All scripts in memory-pipeline/ and simple-viking/ are bash scripts executing commands Suspicious artifacts and egress
Medium External URL
http://192.168.5.110:11434 memory-pipeline/memory-embed.sh:9
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| python3 | * | system | No | Standard library only - json, math, os modules used |
| ollama | * | external | No | No version pinning; connects to http://192.168.5.110:11434 |
File composition
25 files · 4217 lines
Shell 16 files · 2325 linesMarkdown 7 files · 1597 linesTypeScript 1 files · 239 linesJSON 1 files · 56 lines
Files of concern · 3
config.json simple-viking/lib.sh Memory content sent to hardcoded private IP endpoint
memory-pipeline/memory-embed.sh Undeclared network communication to private IP · http://192.168.5.110:11434
Other files · 使用教程.md · mp_mention_detect.sh · SKILL.md · memory-tier-downgrade.sh · README.md · session-manager.ts +3
Security positives
No credential harvesting detected - scripts do not iterate through environment variables for sensitive keys
No obfuscation patterns found - no base64 encoding, eval(), or anti-analysis techniques
No reverse shell or C2 infrastructure detected
No persistence mechanisms beyond documented crontab entries
TypeScript session manager uses child_process.exec safely with sanitized inputs
Skill is MIT licensed with clear documentation structure