Skills
skills/frames-engineering/skills/open-prose/Gen Agent Trust Hub

open-prose

Fail

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
  • [Credentials Unsafe / Data Exfiltration] (HIGH): Multiple core scripts (e.g., common/beacon.prose, common/publisher.prose, common/sentinel.prose, common/arbiter.prose) explicitly prompt the user for email:password credentials and transmit them to https://api-v2.prose.md. Transmitting raw credentials to a non-whitelisted third-party domain is a significant security risk.
  • [Command Execution] (HIGH): The skill extensively utilizes the bash: allow permission across various workflows (e.g., lib/vm-improver.prose, examples/33-pr-review-autofix.prose, examples/35-feature-factory.prose). This allows the agent to execute arbitrary shell commands including git, curl, npm, and gh, providing a large attack surface for system-level exploitation.
  • [Remote Code Execution] (MEDIUM): The framework supports a modular import system (e.g., examples/11-skills-and-imports.prose) that fetches logic from external sources like github:example/code-review and npm:@example/summarizer. While some sources like anthropic/skills are trusted, the mechanism facilitates the loading and execution of unverifiable remote scripts from arbitrary repositories.
  • [Indirect Prompt Injection] (LOW): The skill possesses a substantial attack surface for indirect prompt injection because it is designed to process untrusted external data.
  • Ingestion points: Inputs such as bug_report in bug-hunter.prose, pr_diff in pr-review-autofix.prose, and thread in workflow-crystallizer.prose ingest data from potentially adversarial sources.
  • Boundary markers: The system relies on simple triple-quote delimiters (""") which are insufficient to prevent a sophisticated attacker from breaking out of the context and influencing the 'VM' (the agent) or subagents.
  • Capability inventory: The framework has high-privilege capabilities including filesystem write access, network operations, and shell command execution.
  • Sanitization: There is no evidence of automated escaping or sanitization of external content before it is interpolated into prompts or executed as part of the DSL.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 03:47 AM