安全决策报告

cat-viking-memory

Name: cat-viking-memory 可信度判断报告
Item: cat-viking-memory
Rating: 55
Author: ClawSafe

Hardcoded private IP address (192.168.5.110) used for Ollama embedding API calls across multiple scripts sends memory content to an undeclared network endpoint, creating potential data exfiltration risk.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 25

IOC 1

越权项 3

发现 4

最直接的威胁证据

User installs skill based on documented functionality (memory management) 初始入口 · SKILL.md

Skill makes HTTP POST requests to hardcoded private IP (192.168.5.110:11434) 权限提升 · memory-pipeline/memory-embed.sh

Memory content and session data transmitted to external endpoint via embedding API 最终危害 · simple-viking/lib.sh

为什么得出这个结论

2/4 个维度触发

阻止

声明与实际能力

发现 3 项声明之外的能力或越权行为。

复核

隐藏执行与外联

提取到 1 个一般风险产物，需要结合上下文判断。

阻止

攻击链与高危发现

报告包含 3 步攻击链，另有 0 项高危或严重发现。

复核

依赖与供应链卫生

发现 2 项需要关注的依赖或供应链线索。

攻击链

User installs skill based on documented functionality (memory management)

初始入口 · SKILL.md:1

Skill makes HTTP POST requests to hardcoded private IP (192.168.5.110:11434)

权限提升 · memory-pipeline/memory-embed.sh:9

Memory content and session data transmitted to external endpoint via embedding API

最终危害 · simple-viking/lib.sh:142

风险分是怎么被拉高的

Undeclared network behavior +20

SKILL.md does not mention HTTP requests to external/private Ollama endpoint; text content (memories, sessions) is sent to this service

Hardcoded private IP address +15

Multiple scripts hardcode OLLAMA_HOST=http://192.168.5.110:11434 across memory-embed.sh, lib.sh, mp_mention_detect.sh - unusual to use private IP instead of localhost

Shell execution not declared +5

Skill uses extensive bash scripts but SKILL.md does not explicitly declare shell:WRITE capability

Filesystem WRITE not declared +5

write.sh performs file writes; filesystem:WRITE capability implied but not documented

最关键的证据

中危文档欺骗

Undeclared network communication to private IP

SKILL.md declares vector similarity detection but does not document that text content is sent via HTTP POST to http://192.168.5.110:11434/api/embeddings. Memory content and session data could be transmitted to this endpoint.

memory-pipeline/memory-embed.sh:9

Document the Ollama dependency and network requirements explicitly in SKILL.md capabilities section

中危数据外泄

Memory content sent to hardcoded private IP endpoint

get_embedding() function in multiple scripts sends text content to a hardcoded private IP address. Session summaries, memory files, and conversation content are transmitted. If this endpoint is attacker-controlled, sensitive data could be exfiltrated.

simple-viking/lib.sh:142

Use localhost (127.0.0.1) as default Ollama host, or make it a required configuration parameter with no default

低危权限提升

Implicit shell:WRITE capability not declared

Skill uses bash scripts throughout but SKILL.md does not declare shell execution capability

simple-viking/write.sh:1

Add shell:WRITE to the capability declaration in SKILL.md

低危供应链

Python dependencies not pinned

Scripts rely on python3 but do not specify version requirements. Standard library json/math modules are used, which is safe.

multiple

No action required - only standard library modules used

声明能力 vs 实际能力

文件系统 阻止

声明 NONE

→

推断 WRITE

simple-viking/write.sh:14 - echo "$content" > "$target_path"

网络访问 阻止

声明 NONE

→

推断 WRITE

memory-pipeline/memory-embed.sh:9, simple-viking/lib.sh:8 - curl requests to OLLAMA_HOST (http://192.168.5.110:11434)

命令执行 阻止

声明 NONE

→

推断 WRITE

All scripts in memory-pipeline/ and simple-viking/ are bash scripts executing commands

可疑产物与外联

中危外部 URL

http://192.168.5.110:11434

memory-pipeline/memory-embed.sh:9

依赖与供应链

包名	版本	来源	漏洞	备注
python3	`*`	system	否	Standard library only - json, math, os modules used
ollama	`*`	external	否	No version pinning; connects to http://192.168.5.110:11434

文件构成

25 个文件 · 4217 行

Shell 16 个文件 · 2325 行Markdown 7 个文件 · 1597 行TypeScript 1 个文件 · 239 行JSON 1 个文件 · 56 行

需关注文件 · 3

config.json JSON · 56 行

simple-viking/lib.sh Shell · 434 行

Memory content sent to hardcoded private IP endpoint

memory-pipeline/memory-embed.sh Shell · 229 行

Undeclared network communication to private IP · http://192.168.5.110:11434

其他文件 · 使用教程.md · mp_mention_detect.sh · SKILL.md · memory-tier-downgrade.sh · README.md · session-manager.ts +3

25 文件 · 111.0 KB · 4217 行

Shell 16f · 2325LMarkdown 7f · 1597LTypeScript 1f · 239LJSON 1f · 56L

├─ ▾ 📁 memory-pipeline

│ ├─ 📝 SKILL.md Markdown 350L · 8.6 KB

│ ├─ 🔧 memory-auto-save.sh Shell 180L · 5.5 KB

│ ├─ 🔧 memory-embed.sh Shell 229L · 5.3 KB

│ ├─ 🔧 memory-extract-summary.sh Shell 69L · 1.8 KB

│ ├─ 🔧 memory-session-hook.sh Shell 30L · 965 B

│ ├─ 🔧 memory-tier-cron.sh Shell 182L · 5.4 KB

│ ├─ 🔧 memory-tier-downgrade.sh Shell 249L · 8.1 KB

│ ├─ 🔧 memory-tier-gemini.sh Shell 69L · 2.0 KB

│ ├─ 🔧 memory-tools.sh Shell 132L · 3.1 KB

│ └─ 🔧 mp_mention_detect.sh Shell 333L · 9.0 KB

├─ ▾ 📁 references

│ ├─ 📝 README.md Markdown 253L · 6.1 KB

│ ├─ 📜 session-manager.ts TypeScript 239L · 6.0 KB

│ └─ 📝 飞书集成说明.md Markdown 112L · 3.1 KB

├─ ▾ 📁 simple-viking

│ ├─ 📝 README.md Markdown 145L · 4.2 KB

│ ├─ 📝 SKILL.md Markdown 136L · 3.9 KB

│ ├─ 🔧 extract-memory.sh Shell 128L · 3.8 KB

│ ├─ 🔧 find.sh Shell 62L · 1.2 KB

│ ├─ 🔧 lib.sh Shell 434L · 10.9 KB

│ ├─ 🔧 read.sh Shell 78L · 1.7 KB

│ ├─ 🔧 sv_autoload.sh Shell 103L · 3.3 KB

│ ├─ 🔧 update-layers.sh Shell 14L · 362 B

│ └─ 🔧 write.sh Shell 33L · 859 B

├─ 📝 SKILL.md Markdown 119L · 2.9 KB

├─ 🔑 config.json ⚠ JSON 56L · 1.9 KB

└─ 📝 使用教程.md Markdown 482L · 11.1 KB

安全亮点

No credential harvesting detected - scripts do not iterate through environment variables for sensitive keys

No obfuscation patterns found - no base64 encoding, eval(), or anti-analysis techniques

No reverse shell or C2 infrastructure detected

No persistence mechanisms beyond documented crontab entries

TypeScript session manager uses child_process.exec safely with sanitized inputs

Skill is MIT licensed with clear documentation structure