ClawHub

OpenViking

Security checks across malware telemetry and agentic risk

Overview

This is a real remote memory plugin, but it needs review because it stores chat data remotely and has under-scoped logging and deletion behavior that can expose or remove remembered information.

Review before installing. Only point this plugin at an OpenViking server you control or trust, preferably over HTTPS. Expect conversation turns, recalled memories, and some tool/resource data to be stored and later injected into context. Disable autoCapture, autoRecall, emitStandardDiagnostics, and logFindRequests if that does not fit your privacy model, and be careful with memory_forget and resource imports because they can delete memories or upload local content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (29)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs users/agents to run `rm -rf ~/.openclaw/extensions/openviking/` during migration without an explicit warning that this irreversibly deletes local plugin files. In an automation-oriented install guide, destructive cleanup commands are risky because users may run them blindly or adapt them incorrectly, causing loss of local state or custom modifications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
These migration steps reset plugin configuration and delete `~/.openclaw/extensions/memory-openviking/` without a prominent warning about impact on the existing installation. Because the document is written for both humans and automation, silent destructive cleanup can lead to accidental removal of installed components or unexpected service disruption.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The agent-facing example instructs a user to install and configure a plugin that automatically archives every conversation turn to a remote server, but the example does not present an explicit privacy warning or informed-consent step before setup. In an agent context, users may delegate installation conversationally and not realize subsequent chats will be continuously transmitted and retained off-box, creating a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code automatically performs network-backed memory searches and reads from user, agent, and optional resource stores based on the current query, then injects the retrieved content into context without any explicit user-facing disclosure or consent step in this file. Even though the behavior appears intended to improve recall rather than exfiltrate data, it can expose sensitive prior memories or resource contents to downstream model processing in ways the user may not expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The interactive setup flow writes configuration and then activates the contextEngine slot without an explicit confirmation step, which can change plugin ownership as a side effect of a setup command. In a CLI/plugin ecosystem, silently taking over a shared slot can disable or supersede another plugin’s behavior and create unexpected security or availability consequences, especially if the user did not realize setup would modify routing/activation state.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code logs assembled session content, including role and content previews, to diagnostics. Conversation history can contain secrets, personal data, prompts, and tool outputs; writing that to logs expands exposure to operators, log processors, and anyone with log access, and logs often have broader retention than the primary data path.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The compact path logs the full raw result of getSessionContext using JSON.stringify, which can include complete restored messages, archive overviews, and abstracts. This creates a high-risk diagnostic exfiltration channel because post-compaction context is likely to aggregate large amounts of sensitive historical conversation data into one log event.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code automatically retrieves memories from user, agent, and optional resource stores and injects their content into the model context without any visible consent, disclosure, or sensitivity filtering at the injection point. Even though the block is labeled as auto-recall, the behavior can surface prior private or sensitive memory content to downstream model processing in ways the user may not expect, creating a privacy and contextual data leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The assemble path logs previews of assembled message content, including user/session text, which can expose sensitive conversation data into application logs. Logs are often accessible to operators, aggregators, and third-party observability systems, so this expands the data exposure surface well beyond the chat session itself.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Diagnostic logging includes message digests and sender identifiers during assemble, which can reveal private prompts, recalled content, and user identity metadata. Even truncated digests are sufficient to leak sensitive material, especially when correlated across sessions or retained centrally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The afterTurn diagnostics capture newly added turn messages and sender identifiers, directly persisting per-turn conversation content into logs. This creates a secondary store of potentially sensitive user and assistant data that may bypass primary access controls, deletion policies, or user expectations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The compaction path logs raw `getSessionContext` output and restored message summaries, which may include archived history, summaries, and message previews from prior turns. Because compaction touches long-lived session memory, a single log event can expose a broad slice of historical sensitive data, increasing confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The memory_forget tool can permanently delete memories either directly by URI or automatically when a single high-scoring match is found, without any explicit confirmation step, authorization gate, or user-visible warning. In an agent skill that exposes long-term memory operations, this increases the chance of accidental deletion from ambiguous prompts, prompt injection, or model misinterpretation, causing integrity loss of stored user data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The legacy wrapper converts structured tool interactions into flat text strings and includes serialized toolInput plus raw toolOutput. Tool inputs and outputs often contain secrets, personal data, or internal context, so flattening them into generic transcript text increases the chance of unintended retention, logging, downstream model exposure, or display to components that were only meant to process ordinary chat text.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The memory_forget tool will automatically delete a memory when search returns a single strong match (score >= 0.85) without requiring explicit confirmation from the user. This can cause unintended destruction of user data or long-term context if the match is wrong, especially because similarity scores are heuristic and may misidentify the target.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The logging helpers intentionally serialize and summarize memory records, including URIs and abstract/overview text, which may contain sensitive user memory content. Even though the code trims and truncates output, it does not redact secrets, apply data classification, or gate logging by sensitivity, so private data can still be exposed to logs, telemetry systems, or operators.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The plugin is configured to activate on startup and declares broad capabilities (hook and tool), which increases the attack surface and causes the component to run even when its functionality is not explicitly needed. In a memory-management context, eager activation can expose conversation data, trigger unintended network access to the configured OpenViking server, and make any downstream implementation flaws easier to reach.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The configuration advertises automatic capture and automatic recall of conversation-derived memories, but the manifest does not present a strong privacy warning, consent boundary, or clear data-handling notice. Because this is a context-engine plugin that stores and retrieves memory, silent auto-capture can lead to sensitive prompts, personal data, credentials, or proprietary content being sent to and retained by an external service without informed user awareness.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes very broad terms such as 'RAG', 'set up memory', and 'semantic memory', which can cause the skill to activate during ordinary discussion rather than an explicit install request. In this context, accidental activation is risky because the skill then drives installation and configuration of a persistence plugin that captures and recalls user data across sessions.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill prominently advertises automatic cross-session capture and recall of important facts, but the workflow does not require a clear privacy notice and explicit informed consent before setup proceeds. Because the installed plugin persistently stores conversation-derived data, users may enable long-term retention of sensitive information without understanding the privacy and data-governance consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code packages full tool inputs and outputs into downstream message objects without any redaction, minimization, or sensitivity filtering. Tool arguments and results often contain API responses, file contents, identifiers, or secrets, so forwarding them wholesale can leak sensitive data into memory, logs, analytics, or external processing systems beyond the original tool boundary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The legacy wrapper emits full `toolInput` via `JSON.stringify`, which can expose raw parameters such as credentials, personal data, filesystem paths, or query contents in a flattened text channel. Flattening structured tool data into plain text also increases accidental propagation into logs, prompts, summaries, and external services that may not enforce the same access controls as the original structured object.

Ssd 3

Medium
Confidence
96% confidence
Finding
`messageDigest` builds plain-language summaries of message content, including text, tool calls, and tool results, and this helper is later used in diagnostic logging. That means private prompts, tool arguments, and tool outputs can be transformed into loggable strings, creating a clear sensitive-data exposure path.

Ssd 3

Medium
Confidence
98% confidence
Finding
Assemble diagnostics include digests of both input messages and reconstructed context, exposing user content, archive-derived material, and possibly tool-related data in logs. Since this occurs on a central context-construction path, many sessions may be affected whenever diagnostics are enabled.

Ssd 3

Medium
Confidence
97% confidence
Finding
The afterTurn flow computes and logs digests for newly added user/assistant messages, exposing fresh conversational content and making sensitive turn data available in log pipelines. This is especially risky because new-turn messages may contain secrets, personal data, or outputs from external tools before any downstream sanitization or retention controls apply.

VirusTotal

56/56 vendors flagged this plugin as clean.

View on VirusTotal