Back to skill

Security audit

ontology-pro

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned, but it needs review because it can persist and reuse user-derived knowledge across sessions without clear consent or retention controls.

Install only if you are comfortable with long-lived local knowledge graphs being created from content you provide. Avoid personal, regulated, client, or confidential data unless you have a clear storage path, retention policy, and deletion process. Prefer explicit ontology or memory commands rather than letting broad automatic triggers handle ordinary analysis requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (16)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation conditions are broad enough to trigger on common requests like analysis, decision support, or reasoning, which can cause the skill to activate unexpectedly and apply its special behaviors outside the user's clear intent. In this skill, that risk is amplified because activation can lead into persistent memory and strategy generation, creating privacy and autonomy concerns from ordinary conversations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The command mappings rely on vague everyday phrases such as 'analyze this content' or 'what should I do,' which overlap heavily with normal assistant usage. That makes accidental routing likely, and in this context accidental routing is more dangerous because it can invoke multi-step reasoning and memory persistence without clear user awareness.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises persistent cross-session memory as a core feature but provides no user-facing notice, consent flow, retention limit, or data-sensitivity boundary. This is dangerous because users may share sensitive information during analysis without realizing it will be retained and reused later, increasing privacy leakage and unauthorized profiling risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The memory workflow explicitly saves user-provided knowledge and analysis outputs to persistent storage, yet it does not describe consent, review, deletion, or safeguards against storing sensitive material. Because the saved graph is intended for later reuse, it can expose prior session data through memory replay, inference, or accidental retrieval in unrelated contexts.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The auto-load triggers are extremely broad and include common requests like analysis, reasoning, and decision support. This can cause the skill to activate in unrelated conversations, unexpectedly applying its memory and reasoning behaviors to user content without clear consent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The command mappings rely on everyday language such as 'think deeply' and 'what should I do', which are likely to appear in normal user conversation. That creates intent-collision risk, where the skill may route or execute ontology workflows when the user did not actually mean to invoke this capability.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly advertises cross-session accumulation of knowledge but provides no warning, consent flow, retention policy, or opt-out. In practice, this can lead to persistent storage of user-provided information across sessions, including sensitive or regulated data, without user awareness.

Missing User Warnings

High
Confidence
99% confidence
Finding
The memory workflow instructs the system to save incremental knowledge to persistent storage and reuse it in later sessions, but does not require user permission or any privacy guardrails. This creates a direct pathway for retaining conversational content indefinitely and later resurfacing it in unrelated contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The protocol explicitly defines permanent cross-session memory layers and describes reuse of prior session knowledge, but it does not mention any user notice, consent flow, retention policy, or way to disable persistence. In a user-facing agent, silently retaining and re-injecting prior session data can expose sensitive information across interactions and violate user expectations around data minimization and privacy.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section documents automatic loading of prior graph data based on keyword/domain detection and automatic prompt injection during reasoning, without requiring user confirmation. That behavior is more dangerous than passive storage because it can surface unrelated or sensitive historical data into new prompts, increasing the risk of privacy leakage, incorrect personalization, and unintended cross-context data exposure.

Ssd 3

Medium
Confidence
92% confidence
Finding
The trigger list includes continuous learning and cross-session accumulation of knowledge in plain language, normalizing retention as a default behavior. This is risky because it encourages collecting user-provided information over time without clear limits, making later disclosure, over-collection, or inference about the user more likely.

Ssd 3

Medium
Confidence
97% confidence
Finding
The workflow directs the system to persist analysis results and historical knowledge for later reuse, which creates a concrete risk that one user's prior data will influence or appear in later interactions. In a reasoning-oriented skill, retained graph data can also reveal inferred relationships that are more sensitive than the original text.

Ssd 3

Medium
Confidence
90% confidence
Finding
The design principle 'remember rather than forget' broadly encourages persistence of every interaction's knowledge, which is unsafe because it treats retention as the norm instead of an exceptional, consented behavior. That framing increases the chance of storing sensitive or unnecessary data and later surfacing it through memory-assisted outputs.

Ssd 3

Medium
Confidence
97% confidence
Finding
Persistent memory without minimization rules or sensitivity boundaries increases the chance that secrets, personal data, or confidential business information will be retained and later exposed through future prompts. The skill context makes this more dangerous because it is designed to systematically extract and structure information, which can preserve sensitive facts in a highly reusable form.

Ssd 3

Medium
Confidence
98% confidence
Finding
The workflow operationalizes long-term storage of analysis-derived knowledge from conversations for future sessions, creating a realistic risk of unintended disclosure. Because the skill converts freeform user input into structured entities and relationships, it can make sensitive content easier to retrieve, infer from, or leak later.

Ssd 3

Low
Confidence
88% confidence
Finding
The example normalizes storing user-supplied facts in long-term memory as a default behavior. While the sample fact is not especially sensitive, the pattern encourages operators and users to treat arbitrary conversation content as suitable for persistent retention, which can lead to privacy leakage in real deployments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.