ontopo
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHNO_CODEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [NO_CODE] (LOW): The core implementation file 'scripts/ontopo-cli.py' is referenced throughout the documentation and skill configuration but is missing from the provided files, making the tool non-functional and its safety unverifiable.\n- [EXTERNAL_DOWNLOADS] (HIGH): The installation instructions in README.md recommend using 'npx skills add' to download and execute code from an untrusted GitHub repository ('alexpolonsky/agent-skills'). This is a significant risk as the source is not within the provided trusted scope.\n- [PROMPT_INJECTION] (MEDIUM): The skill is vulnerable to indirect prompt injection because it fetches untrusted data from the Ontopo API. 1. Ingestion points: External data enters the agent context through 'search', 'info', and 'menu' commands. 2. Boundary markers: None identified; the output is passed to the agent without delimiters. 3. Capability inventory: The skill executes local Python scripts with network access via 'httpx'. 4. Sanitization: Verification is impossible due to the missing source code.\n- [COMMAND_EXECUTION] (LOW): The skill's primary function involves invoking a Python script via the shell, which is a standard but noteworthy behavior for agent skills.
Recommendations
- AI detected serious security threats
Audit Metadata