open-prose

SUSPICIOUS. The core idea of an agent language/runtime is plausible, but the actual footprint is overbroad: it installs other skills, executes arbitrary remote programs, propagates database credentials to subagents/logs, and encourages autonomous public GitHub actions. Same-org install evidence reduces the chance of outright malware, but the skill is high risk due to prompt-injection exposure, credential handling, and disproportionate autonomy.