Skillv1.0.0

ClawScan security

Ontology · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 4:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with an on-disk typed knowledge-graph (no network or secrets requested), but the shipped Python script does not consistently enforce safe path restrictions and can read/write arbitrary filesystem locations if invoked with custom paths — an oversight that increases risk.
Guidance: This skill appears to be what it claims: a local, file-backed typed knowledge graph with a CLI Python script. It does not ask for network credentials or contact external endpoints. However, a concrete implementation issue raises risk: the code includes a resolve_safe_path helper that would restrict file access to the workspace, but the core load/append functions shown do not call it — meaning a crafted or mistaken --graph-path argument can make the script read or append to arbitrary files. Before installing or enabling this skill: (1) inspect the full scripts/ontology.py to confirm all file paths are validated (or patch the code to use resolve_safe_path for any user-supplied path), (2) run the skill in an isolated workspace or sandbox (with limited permissions) to prevent accidental overwrites or exposure of sensitive files, (3) avoid storing secrets in the ontology (use external secret stores and the secret_ref pattern), and (4) if you will allow autonomous agent invocation, consider restricting which graph paths the agent may use. If you want, I can point to the exact functions to change and provide a minimal patch that enforces resolve_safe_path for append_op and load_graph.

Review Dimensions

Purpose & Capability: okName/description (ontology/typed knowledge graph) align with the included SKILL.md and the Python script. No unexpected credentials, binaries, or external services are requested; the functionality described (entity CRUD, relations, validation, local storage) matches the code and docs.
Instruction Scope: concernSKILL.md instructs the agent and user to use a workspace-local storage path (memory/ontology/graph.jsonl) and provides CLI examples. However, while a helper resolve_safe_path that enforces staying within a workspace exists in the code, the primary graph load/append functions shown (load_graph, append_op) operate directly on arbitrary provided paths (Path(path)) without using resolve_safe_path. That means an attacker or mistaken invocation that supplies a custom --graph-path could cause the skill to read or append to arbitrary files on the filesystem, potentially overwriting or exfiltrating local data. The instructions themselves do not tell the agent to access other system state or external endpoints.
Install Mechanism: okNo install spec — instruction-only plus a Python script. This is low-risk from a supply-chain perspective because nothing is downloaded or executed by an automated installer. The agent/user is expected to run the included Python script locally.
Credentials: okThe skill declares no required environment variables or credentials and the documented ontology schema purposely forbids storing secrets directly. That is proportionate for a local ontology manager. Note: schema references to secret_ref are guidelines only; there is no integration with a secret manager in the shipped code.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable only. It writes to local files (append-only graph.jsonl) by design. The main concern is that file writes are not strongly sandboxed in the implementation; persistence is expected but could affect arbitrary paths if invoked with custom arguments.