Back to skill

Security audit

Ontology 1

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local knowledge-graph memory skill; it persists user-directed data and schema changes, but I found no hidden network access, credential theft, destructive file behavior, or purpose-mismatched execution.

Install this only if you want a persistent local memory graph. Review memory/ontology periodically, avoid storing passwords, tokens, or raw secrets, prefer secret_ref values, and be deliberate with delete and schema-append because they change shared memory behavior for future agent workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to create and modify workspace files under `memory/ontology` and to use direct file operations, but it does not declare corresponding permissions or capability boundaries. This creates a mismatch between documented behavior and the platform's security model, increasing the chance of unauthorized or unexpected file writes when the skill is invoked.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The manifest describes the skill as a typed knowledge-graph memory tool for entity CRUD, querying, and linking, but the implementation also exposes a schema-append command that can modify the ontology schema itself. In an agent setting, this expands the skill's authority beyond its declared purpose and can be abused to weaken validation rules, alter constraints, or change downstream behavior of other skills relying on the shared schema.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list in the frontmatter is broad enough to activate this skill for common phrases like 'remember' or general cross-skill data access requests, even when ontology storage is not the intended tool. Over-broad activation can cause unnecessary persistence of user data, unintended writes, or routing of sensitive requests into a skill with file-writing behavior.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger 'Skill needs shared state' is too vague to meaningfully constrain invocation and could match a large fraction of unrelated tasks. In this context, that is more dangerous because the skill supports persistent shared memory and file writes, so accidental invocation may expose, persist, or transform data across skills without clear user intent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The delete command immediately appends a delete operation for any referenced entity without any confirmation, dry-run, or safety interlock. In a shared agent-memory context, accidental or prompt-induced deletion can silently remove important state and disrupt other skills or workflows that depend on the graph.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.