prose
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The framework allows running '.prose' programs directly from arbitrary URLs (e.g.,
prose run https://...). This pattern allows the execution of logic fetched from untrusted remote sources at runtime. - [CREDENTIALS_UNSAFE]: The documentation in
state/postgres.mdexplicitly warns that theOPENPROSE_POSTGRES_URLconnection string, which contains database credentials, is passed to subagent sessions and is visible in logs. - [COMMAND_EXECUTION]: The framework supports defining agents with
bash: alloworbash: promptpermissions. While intended for automation, this provides a high-privilege capability that can be exploited if an agent receives malicious instructions. - [EXTERNAL_DOWNLOADS]: The skill uses
web_fetchorcurlto download remote programs and configuration files from the OpenProse registry (p.prose.md) and GitHub repositories. - [DATA_EXFILTRATION]: Several library programs and examples (e.g.,
lib/profiler.prose,examples/48-habit-miner.prose) perform extensive scans of local system directories, including configuration and history files for other AI tools like Claude Code, Cursor, and Aider. Combined with network access, this presents an exfiltration surface. - [DYNAMIC_EXECUTION]: The
lib/profiler.prosefile generates and executes inline Python scripts using heredocs (python3 << 'EOF') to calculate metrics from log files. - [PROMPT_INJECTION]: The VM uses discretion markers (
**...**) to evaluate conditions using AI judgment. This provides a vector where untrusted data processed as 'context' could influence the VM's control flow logic.
Audit Metadata