The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (MEDIUM): The skill functions as a VM that interprets and executes .prose files, enabling dynamic code execution and subagent orchestration via the Task tool. It also includes keyword 'registers' (e.g., Kafka, Borges) that alias functional commands with narrative metaphors, which could be used to obfuscate program logic from human review.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill references and interacts with an external, non-whitelisted domain (api-v2.prose.md) for its 'Constellation' distributed system and program registry.
[DATA_EXFILTRATION] (MEDIUM): Multiple programs (e.g., publisher.prose, beacon.prose) are designed to take 'credentials' as input and transmit data or signals to the external api-v2.prose.md domain, creating a clear path for credential or sensitive context exfiltration.
[PROMPT_INJECTION] (LOW): The guidance/system-prompt.md uses authoritative instructions to redefine the agent's persona. Additionally, the VM architecture is susceptible to indirect injection. Evidence Chain: 1. Ingestion point: .prose scripts and context files. 2. Boundary markers: Uses '...' discretion markers for AI-evaluated logic. 3. Capability inventory: Spawns subagents (Task tool) and performs network operations (api-v2.prose.md). 4. Sanitization: Relies on LLM reasoning rather than programmatic filtering.
[COMMAND_EXECUTION] (LOW): Skill documentation encourages the use of shell-based commands like 'npx skills add' for installation and 'prose run' for execution.

open-prose