open-prose

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content exposes multiple high-risk, intentional-capability patterns: it explicitly supports fetching and executing programs from arbitrary URLs/registries, spawning persistent and resumable subagents with filesystem and network access, scanning user/home/skill directories, and passing database/credential links into subagents—combinations that enable data exfiltration, credential theft, remote code execution, supply-chain compromise and long-lived backdoors if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly supports running remote programs fetched from arbitrary URLs and a public registry (see SKILL.md "Remote Programs" — "prose run https://..." — and forme.md "Step 2: Resolve Component Files" which fetches registry shorthand from https://p.prose.md/{path}), and those fetched .md/.prose files are read, wired, and executed by the VM, so untrusted third-party content can directly influence execution and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly resolves and fetches program components at runtime from the registry pattern https://p.prose.md/{path} (and similarly allows direct https://raw.githubusercontent.com/... URLs), and those fetched .md program files are loaded and executed by the VM—so remote content from https://p.prose.md directly controls agent prompts/instructions at runtime.