Is ontology safe?

The ontology stores Person entities with name, email, and phone fields in an unencrypted JSONL file. The append-only design means deleted data persists in the log. No access control or encryption is applied.

ontology.py imports yaml (PyYAML) for schema operations. While yaml.safe_load is used correctly, the dependency on an external Python package introduces supply chain risk if the environment has a compromised yaml module.

The script accepts JSON strings via --props and --where CLI arguments. While json.loads is used safely (not eval), malformed JSON could cause unhandled exceptions. The script does not sanitize property values beyond type checking.

The skill explicitly positions itself as shared state between skills ('Skills that use ontology should declare' + 'Cross-Skill Communication' section). A malicious companion skill could read all stored entities including personal data.

The skill activates on common phrases like 'remember', 'what do I know about', and 'show dependencies' which could cause unintended skill activation in normal conversation.

The resolve_safe_path function properly validates that all file paths stay within the workspace root directory, preventing directory traversal attacks via --graph or --schema arguments.

The Credential type uses forbidden_properties to prevent direct storage of secrets, requiring indirection via secret_ref. This is a positive security pattern.

Monitoring shows .env, .aws/credentials, and .profile access but these originate from the OpenClaw agent runtime bootstrap, not from the skill code itself.