Trust Assessment
openviking-mcp received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 3 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/zaynjarvis/openviking-mcp/SKILL.md:78 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zaynjarvis/openviking-mcp/SKILL.md:17 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/zaynjarvis/openviking-mcp/SKILL.md:17 | |
| HIGH | Skill requests user to paste API key configuration The skill explicitly instructs the host LLM to ask the user to paste their `ov.conf` file, which contains sensitive API tokens (OpenAI API keys). Although it advises redaction, this creates a significant risk of accidental credential exposure if the user forgets to redact or if the LLM fails to redact properly. A safer approach would be to ask for confirmation of setup without requesting the file content, or to guide the user to verify specific parts of the config without exposing the full file. Modify the instruction to avoid requesting the `ov.conf` file content. Instead, ask the user for confirmation that they have configured the file correctly, or guide them to verify specific non-sensitive aspects of the configuration. For example: "Confirm you have updated `ov.conf` with your OpenAI API keys." | LLM | SKILL.md:39 | |
| MEDIUM | Unpinned Git repository clone and dependency installation The skill instructs the user to clone `https://github.com/ZaynJarvis/openviking.git` without specifying a particular commit hash or tag. This means the skill relies on the `HEAD` of the default branch, which can change over time. Subsequently, `uv sync` is used to install dependencies from this unpinned repository. If the upstream repository is compromised or undergoes breaking/malicious changes, the user's environment could be affected without their explicit knowledge or consent. Pin the `git clone` command to a specific commit hash or tag (e.g., `git clone -b <tag_or_commit> https://github.com/ZaynJarvis/openviking.git`). Additionally, ensure that the `pyproject.toml` or `requirements.txt` within the cloned repository explicitly pins all dependencies to specific versions to prevent transitive dependency issues. | LLM | SKILL.md:25 |
Scan History
Embed Code
[](https://skillshield.io/report/714c0020515faeee)
Powered by SkillShield