byted-viking-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to produce and execute viking-cli commands and explicitly shows usage with --api-key <api_key> and passing AK/SK, which encourages embedding secret values directly in generated commands (verbatim), creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The URL is a direct link to an install.sh shell script hosted on an object-storage subdomain (viking-skills.tos-cn-beijing.volces.com) that appears consistent with VolcEngine/ByteDance tooling in the skill context, but delivering an executable shell script for curl|bash installation from an external storage domain is inherently risky and can be used to distribute malware unless you can verify the publisher and integrity of the script.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly supports ingesting external URIs ("knowledge add-doc --uri ") and includes retrieval/service-chat commands ("knowledge search-knowledge", "knowledge service-chat") that will read and act on that user-provided / public web content, so untrusted third‑party content can influence the agent's subsequent decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs installation with "curl -fsSL https://viking-skills.tos-cn-beijing.volces.com/viking-cli/install.sh | bash", which fetches and immediately executes remote code and is presented as the required CLI install for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill includes commands to fetch and run a remote install script (curl | bash) and even an explicit sudo-install example to write into system directories, which encourages obtaining elevated privileges and modifying system files, so it can compromise the host.