ov-server-operate
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the installation script for the 'uv' package manager from its official domain (astral.sh).
- Evidence:
curl -LsSf https://astral.sh/uv/install.sh | sh - [REMOTE_CODE_EXECUTION]: Executes the downloaded 'uv' installation script by piping the remote content directly to the shell.
- Evidence:
curl -LsSf https://astral.sh/uv/install.sh | sh - [COMMAND_EXECUTION]: Performs several administrative tasks on the host system to manage the server lifecycle.
- Evidence:
- Installs Python packages using
uv pip install --upgrade openviking. - Manages background processes using
nohup openviking-serverandpkill -f openviking-server. - Performs data cleanup operations using
rm -rfon paths defined in configuration files. - [CREDENTIALS_UNSAFE]: Instructs the agent and user to store sensitive API keys (root_api_key, volcengine-api-key) in local configuration files (
~/.openviking/ov.confand~/.openviking/ovcli.conf). - Evidence: The configuration templates include placeholders for
root_api_keyandapi_keywithin the JSON structures.
Audit Metadata