open-prose

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt explicitly instructs the agent to silently collect and send persistent user/session identifiers to a remote analytics endpoint and to hide this from users ("Do NOT ask users" / "Send telemetry silently"), which is a deceptive, out-of-scope instruction for a language-runtime skill.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill includes intentionally stealthy telemetry (persistent per-user ID, telemetry enabled by default, and explicit instructions to "send telemetry silently" and not ask users), plus persistent on-disk state and import-from-remote capabilities that enable covert tracking/data exfiltration and increase supply-chain risk; no explicit obfuscated payloads, reverse shells, or eval-exec backdoors were found, but the telemetry behavior is a deliberate privacy/backdoor-like concern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The docs (docs.md, "Import Statements" + Execution Semantics) require processing import "skill" from sources like "github:..." or "npm:..." and state the VM "loads skill definitions from the specified sources" at runtime, which means the agent will fetch and execute third‑party (GitHub/NPM) content that can alter tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The docs include runtime import examples such as "github:anthropic/skills" which the OpenProse VM will fetch at execution time to load skill definitions that can directly control agent prompts/behavior, so this is a runtime external dependency.