The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The core functionality of the skill involves downloading and executing logic from remote sources. The prose run command and use statements are designed to fetch Prose programs from external URLs or the p.prose.md registry and execute them within the VM environment.
[DATA_EXFILTRATION]: The examples/48-habit-miner.prose program specifically targets and reads sensitive AI assistant log files from directories such as ~/.claude/, ~/.cursor/, ~/.copilot/, and ~/.aider/. This information is then processed by agents to extract user patterns and generate new automation code.
[COMMAND_EXECUTION]: Multiple programs throughout the skill (e.g., holon.prose, the-forge.prose, sentinel.prose) require and utilize unrestricted bash access (bash: allow). These programs execute shell commands for package management (npm install), project builds (cargo build), and system interaction (docker run, curl).
[CREDENTIALS_UNSAFE]: The scripts in the common/ directory (e.g., beacon.prose, publisher.prose) solicit and process user credentials (email and password) for interaction with the api-v2.prose.md service. Additionally, state/postgres.md explicitly states that PostgreSQL connection strings containing credentials are visible to subagent sessions and may be logged.
[EXTERNAL_DOWNLOADS]: The skill facilitates downloading external dependencies at runtime, such as the ws npm package in holon.prose and various program specifications from GitHub in the workflow-crystallizer.prose.
[PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection. Programs like pr-review-autofix.prose, skill-scan.prose, and habit-miner.prose ingest untrusted data (code diffs, third-party skill files, and conversation logs) and interpolate them directly into agent prompts without sanitization or clear boundary markers. This data ingestion is coupled with high-privilege capabilities like shell access and file writing.

open-prose