100Critical
The skill allows command injection, poisons the
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Ontology: A typed vocabulary + constraint system for representing knowledge as a verifiable graph.
Actually does
The skill executes `python3 scripts/ontology.py` commands to manage a local knowledge graph. It reads from and writes to `memory/ontology/graph.jsonl` for entity and relation data, and `memory/ontology/schema.yaml` for type definitions and constraints. It can create, query, link, and validate entities, and manage the schema.
Skill Info
Nameoswalpalash/ontology
Registryclawhub
Version1.0.4
PURLpkg:clawhub/oswalpalash/ontology@1.0.4
Stars534
Downloads164,354
Installs1,175
Source
SHA-256669830c58a0c...
SHA-1e6e53ad9644b...
MD5e7b686efee66...
TLSHfad1fb52dd0c...
ssdeep192:lTXRZB5H...
Size6,703 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
ClawHubDocs
openclaw skills install oswalpalash/ontologyAssessments (2)
AI Agent Traps ↗Direct command execution via Python scriptcriticalcommand execution
The skill explicitly executes `python3 scripts/ontology.py` with arguments derived from agent input. This allows for potential command injection if inputs are not properly sanitized, or execution of arbitrary code if the `ontology.py` script is replaced or modified.
100% confidenceline 84
python3 scripts/ontology.py create --type Person --props '{"name":"Alice","email":"alice@example.com"}'Data exfiltration risk through workspace file accessmediumdata exfiltration
The skill explicitly states it 'reads/writes workspace files' and operates on local JSONL and YAML files. While intended for ontology data, this capability could be abused to read or write other sensitive files within the agent's workspace.
90% confidenceline 138
Runtime instructions operate on local files... The skill reads/writes workspace files
Manipulation of credential referencesmediumcredential harvesting
The `Credential` and `Account` entity types use `secret_ref` or `credential_ref` to point to external secrets. An attacker could manipulate these references within the ontology to redirect the agent to attacker-controlled secret stores or invalid references, potentially leading to credential harvesting or denial of service for secret access.
80% confidenceline 56
Credential: { service, secret_ref }
Account: { service, username, credential_ref? }Agent memory and RAG poisoning via entity/schema writeshighmemory poisoning
The skill's primary function is to manage the agent's structured memory (ontology). An attacker can inject false entities, relations, or modify the schema to poison the agent's knowledge base, influencing its future reasoning and actions.
100% confidenceline 3
description: Typed knowledge graph for structured agent memory...
python3 scripts/ontology.py create --type Person --props '{...}'
python3 scripts/ontology.py schema-append --data '{...}'Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/clawhub/oswalpalash/ontology)HTML
<a href="https://mondoo.com/ai-agent-security/skills/clawhub/oswalpalash/ontology"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/oswalpalash/ontology.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/clawhub/oswalpalash/ontology.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow