openviking
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill indices documents and performs semantic search/summarization, creating a surface where malicious content within processed files could influence agent behavior.
- Ingestion points: Local files are read via
scripts/viking.py(cmd_add,cmd_add_dir) and the Python API; URLs are supported via theadd_resourcemethod as noted inreferences/python-api.md. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are implemented when processing or summarizing document content.
- Capability inventory: The skill has capabilities to read local files, perform network requests to AI providers (NVIDIA API), and output summaries or full content to the agent context.
- Sanitization: The skill does not appear to sanitize or filter the content of ingested documents before indexing or retrieval.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
openvikingPython package from a public registry (PyPI) to function. - [DATA_EXPOSURE]: The skill is designed to access the local file system for indexing. There is a risk that a user or agent could be instructed to index sensitive paths (e.g.,
.ssh,.envfiles) into the OpenViking database, potentially exposing their contents during search or summary operations. - [PERSISTENCE]: The
references/setup-guide.mdprovides instructions to append an environment variable export (OPENVIKING_CONFIG_FILE) to~/.bashrc. While documented as a legitimate configuration step, this modifies shell profiles to maintain state across sessions.
Audit Metadata