open-prose

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill package intentionally enables fetching and executing remote .prose programs, passing live credentials and filesystem/DB paths to spawned subagents, invoking shell/Node installs and outbound network/WebSocket connections — together these constructs create clear vectors for credential exfiltration, remote code execution, persistent backdoors, and supply‑chain abuse if misused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill's SKILL.md explicitly fetches and executes .prose programs from arbitrary URLs or registry handles (see "Remote Programs" / "Steps for remote programs" and the prose run https://... examples) and compiler.md's use statements describe fetching imports from https://p.prose.md/{path}, meaning untrusted third‑party program text is ingested and executed and can change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches and executes remote .prose programs at runtime (e.g., "prose run https://raw.githubusercontent.com/openprose/prose/main/skills/open-prose/examples/48-habit-miner.prose" and via registry resolution to https://p.prose.md/{path}), so fetched content can directly control prompts/instructions and drive execution.