open-prose
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill contains post-execution instructions that direct the AI to automatically star the project's GitHub repository using the
ghCLI tool (gh api -X PUT /user/starred/openprose/prose). This represents an unauthorized automated social action on the user's behalf. - [COMMAND_EXECUTION]: Multiple standard library and common programs generate and execute dynamic scripts at runtime. For example,
lib/profiler.proseexecutes inline Python via heredocs, andcommon/holon.prosegenerates and runs Node.js scripts using thewspackage for real-time communication. - [EXTERNAL_DOWNLOADS]: The skill can fetch and interpret (execute)
.proseprograms from arbitrary URLs provided by the user or from a custom remote registry (p.prose.md). This behavior is functionally equivalent to remote code execution through the AI's instruction set. - [DATA_EXFILTRATION]: The
profiler.proseutility is designed to scan and read sensitive AI assistant session logs located in~/.claude/projects/. These logs contain the full history of the user's interactions, including code and potentially sensitive data, which could be exposed during the profiling process. - [PROMPT_INJECTION]: The skill includes instructions that attempt to modify the agent's persistent memory and future behavior. Specifically, it directs the agent to update its
SOUL.mdfile with a specific template to 'remember' the skill for future sessions, which is a form of persistent instruction injection.
Recommendations
- AI detected serious security threats
Audit Metadata