中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:20 小时前 重新扫描
45 /100
cat-viking-memory
Viking 记忆系统技能包 - 五级记忆层级自动管理、重要记忆保护、向量相似度提及检测、飞书群聊会话自动保存
Hardcoded private IP address (192.168.5.110) used for Ollama embedding API calls across multiple scripts sends memory content to an undeclared network endpoint, creating potential data exfiltration risk.
技能名称cat-viking-memory
分析耗时64.1s
引擎pi
谨慎使用
Document the Ollama network dependency explicitly in SKILL.md. Consider making the Ollama host configurable via environment variables with no default or localhost default. Evaluate whether the private IP 192.168.5.110 is legitimate infrastructure or an unexpected external endpoint.

攻击链 3 步

入口 User installs skill based on documented functionality (memory management)
SKILL.md:1
提权 Skill makes HTTP POST requests to hardcoded private IP (192.168.5.110:11434)
memory-pipeline/memory-embed.sh:9
影响 Memory content and session data transmitted to external endpoint via embedding API
simple-viking/lib.sh:142

安全发现 4 项

严重性 安全发现 位置
中危
Undeclared network communication to private IP 文档欺骗
SKILL.md declares vector similarity detection but does not document that text content is sent via HTTP POST to http://192.168.5.110:11434/api/embeddings. Memory content and session data could be transmitted to this endpoint.
OLLAMA_HOST="${OLLAMA_HOST:-http://192.168.5.110:11434}"
→ Document the Ollama dependency and network requirements explicitly in SKILL.md capabilities section
 memory-pipeline/memory-embed.sh:9
中危
Memory content sent to hardcoded private IP endpoint 数据外泄
get_embedding() function in multiple scripts sends text content to a hardcoded private IP address. Session summaries, memory files, and conversation content are transmitted. If this endpoint is attacker-controlled, sensitive data could be exfiltrated.
response=$(curl -s -s --max-time 30 "$OLLAMA_HOST/api/embeddings" -d "{\"model\": \"$EMBED_MODEL\", \"prompt\": \"$text\"}")
→ Use localhost (127.0.0.1) as default Ollama host, or make it a required configuration parameter with no default
 simple-viking/lib.sh:142
低危
Implicit shell:WRITE capability not declared 权限提升
Skill uses bash scripts throughout but SKILL.md does not declare shell execution capability
#!/usr/bin/env bash
→ Add shell:WRITE to the capability declaration in SKILL.md
 simple-viking/write.sh:1
低危
Python dependencies not pinned 供应链
Scripts rely on python3 but do not specify version requirements. Standard library json/math modules are used, which is safe.
python3 -c "import json, math"
→ No action required - only standard library modules used
 multiple
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✗ 越权 simple-viking/write.sh:14 - echo "$content" > "$target_path"
网络访问 NONE WRITE ✗ 越权 memory-pipeline/memory-embed.sh:9, simple-viking/lib.sh:8 - curl requests to OLL…
命令执行 NONE WRITE ✗ 越权 All scripts in memory-pipeline/ and simple-viking/ are bash scripts executing co…
1 项发现
🔗
中危 外部 URL 外部 URL
http://192.168.5.110:11434
memory-pipeline/memory-embed.sh:9

目录结构

25 文件 · 111.0 KB · 4217 行
Shell 16f · 2325L Markdown 7f · 1597L TypeScript 1f · 239L JSON 1f · 56L
├─ 📁 memory-pipeline
│ ├─ 🔧 memory-auto-save.sh Shell 180L · 5.5 KB
│ ├─ 🔧 memory-embed.sh Shell 229L · 5.3 KB
│ ├─ 🔧 memory-extract-summary.sh Shell 69L · 1.8 KB
│ ├─ 🔧 memory-session-hook.sh Shell 30L · 965 B
│ ├─ 🔧 memory-tier-cron.sh Shell 182L · 5.4 KB
│ ├─ 🔧 memory-tier-downgrade.sh Shell 249L · 8.1 KB
│ ├─ 🔧 memory-tier-gemini.sh Shell 69L · 2.0 KB
│ ├─ 🔧 memory-tools.sh Shell 132L · 3.1 KB
│ ├─ 🔧 mp_mention_detect.sh Shell 333L · 9.0 KB
│ └─ 📝 SKILL.md Markdown 350L · 8.6 KB
├─ 📁 references
│ ├─ 📝 README.md Markdown 253L · 6.1 KB
│ ├─ 📜 session-manager.ts TypeScript 239L · 6.0 KB
│ └─ 📝 飞书集成说明.md Markdown 112L · 3.1 KB
├─ 📁 simple-viking
│ ├─ 🔧 extract-memory.sh Shell 128L · 3.8 KB
│ ├─ 🔧 find.sh Shell 62L · 1.2 KB
│ ├─ 🔧 lib.sh Shell 434L · 10.9 KB
│ ├─ 🔧 read.sh Shell 78L · 1.7 KB
│ ├─ 📝 README.md Markdown 145L · 4.2 KB
│ ├─ 📝 SKILL.md Markdown 136L · 3.9 KB
│ ├─ 🔧 sv_autoload.sh Shell 103L · 3.3 KB
│ ├─ 🔧 update-layers.sh Shell 14L · 362 B
│ └─ 🔧 write.sh Shell 33L · 859 B
├─ 🔑 config.json JSON 56L · 1.9 KB
├─ 📝 SKILL.md Markdown 119L · 2.9 KB
└─ 📝 使用教程.md Markdown 482L · 11.1 KB

依赖分析 2 项

包名版本来源已知漏洞备注
python3 * system Standard library only - json, math, os modules used
ollama * external No version pinning; connects to http://192.168.5.110:11434

安全亮点

✓ No credential harvesting detected - scripts do not iterate through environment variables for sensitive keys
✓ No obfuscation patterns found - no base64 encoding, eval(), or anti-analysis techniques
✓ No reverse shell or C2 infrastructure detected
✓ No persistence mechanisms beyond documented crontab entries
✓ TypeScript session manager uses child_process.exec safely with sanitized inputs
✓ Skill is MIT licensed with clear documentation structure