open-prose
Warn
Audited by Snyk on Mar 18, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). SKILL.md and compiler.md explicitly describe fetching and executing remote .prose programs from arbitrary URLs and registry handles (e.g., "prose run https://raw.githubusercontent.com/..." and resolving handle/slug to https://p.prose.md/{path}, and
usestatements that fetch program content), so untrusted third-party content is read/parsed and can directly alter execution and tool behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches and executes remote .prose programs at runtime (e.g., direct URL example "prose run https://raw.githubusercontent.com/openprose/prose/main/skills/open-prose/examples/48-habit-miner.prose" and registry resolution to "https://p.prose.md/{path}"), so content from those URLs is loaded into the VM and can directly control agent prompts and execution.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata