ontology

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a coherent local knowledge-graph memory skill, but it intentionally stores persistent shared agent memory that users should manage carefully.

This skill looks safe for its stated purpose if you want a local structured memory graph. Before installing, decide what the agent is allowed to remember, avoid storing passwords or tokens, and periodically review the files under memory/ontology because they are persistent and append-only.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

No VirusTotal findings for this skill version.

Malicious: 0
Suspicious: 0
Harmless: 0
Undetected: 64

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI06: Memory and Context Poisoning

Low

What this means

Information stored in the ontology may influence later agent behavior and may remain in the local graph history even after logical updates or deletes.

Why it was flagged

The skill intentionally persists shared memory for reuse across tasks and skills, and the append-only design means prior graph entries may remain in the underlying file history.

Skill content

Default: `memory/ontology/graph.jsonl` ... `Skill needs shared state | Read/write ontology objects` ... `Append-Only Rule ... preserves history`

Recommendation

Only store information you are comfortable retaining as agent memory, avoid secrets, periodically inspect or prune the graph file, and use secret references rather than actual credentials.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Incorrect or unintended invocations could add, link, update, or logically delete entries in the local ontology graph.

Why it was flagged

The helper script exposes local create, relate, update, query, and delete operations for the graph, which is expected for this skill but still changes persistent local memory.

Skill content

Usage: ... python ontology.py create ... python ontology.py relate ... python ontology.py delete --id p_001

Recommendation

Review agent actions that mutate the graph, run validation after changes, and back up the memory/ontology files if the graph is important.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

Users have less external context for verifying maintainership, change history, or upstream documentation.

Why it was flagged

The registry does not provide an upstream source or homepage for independent provenance review.

Skill content

Source: unknown; Homepage: none

Recommendation

Inspect the packaged files before relying on the skill for sensitive memory, especially because it stores durable local state.