openviking-context-database
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill recommends a high-risk installation method:
curl -fsSL https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh | bash. This command downloads and executes a script from a remote source without any prior integrity verification. It also suggestscargo install --gitfrom the same untrusted repository. - [EXTERNAL_DOWNLOADS]: The skill instructs users to fetch installation scripts, packages, and software from the
volcengineorganization on GitHub, which is not recognized as a trusted vendor in the provided configuration. - [PROMPT_INJECTION]: The skill's implementation patterns (e.g., Pattern 1) demonstrate a surface for indirect prompt injection by interpolating retrieved context into LLM system prompts without proper safety measures.
- Ingestion points: External data enters the agent context through
brain.write(from local files) andsession.add_turn(from user conversation history) as shown inSKILL.md. - Boundary markers: The prompt construction examples lack delimiters or specific instructions for the AI to ignore potential commands embedded within the retrieved context.
- Capability inventory: The skill possesses capabilities for local filesystem writes and persistent agent memory management.
- Sanitization: There is no evidence of logic to sanitize, escape, or validate the retrieved data before it is interpolated into the prompts.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/volcengine/OpenViking/main/crates/ov_cli/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata