ontology
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill documentation encourages the agent to interact with a local script
scripts/ontology.pyusing shell commands where JSON-formatted data is passed as arguments (e.g.,python3 scripts/ontology.py create --props '...'). This pattern is highly susceptible to command injection if property values or query filters containing shell metacharacters are not rigorously escaped by the agent or the underlying script. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) as it is designed to ingest and retrieve untrusted data from multiple sources (notes, emails, project descriptions).
- Ingestion points: Data enters the system via the
createandupdatecommands through entity properties likenotes,description, andcontent(identified inSKILL.mdandreferences/schema.md). - Boundary markers: The skill uses JSON structures as boundaries, but these are primarily for data integrity rather than security isolation against adversarial instructions.
- Capability inventory: The skill possesses file read/write capabilities for
graph.jsonlandschema.yaml, and the ability to execute its own CLI tool. - Sanitization: While the schema reference (
references/schema.md) defines validation rules for types and enums, there is no evidence of sanitization to prevent embedded instructions from influencing the agent's behavior during graph traversal or query results.
Audit Metadata