The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill allows running OpenProse programs directly from remote URLs or a registry shorthand (p.prose.md), enabling the fetching and execution of external logic at runtime.
[REMOTE_CODE_EXECUTION]: The standard library component lib/profiler.prose generates and executes Python code dynamically using heredoc syntax (python3 << 'EOF') to process session logs and calculate costs.
[DATA_EXFILTRATION]: The habit-miner utility (examples/48-habit-miner.prose) is configured to scan and read AI assistant logs from sensitive paths such as ~/.claude/, ~/.cursor/, and ~/.copilot/, which frequently contain sensitive information or credentials pasted by users during AI sessions.
[COMMAND_EXECUTION]: Numerous components and examples (e.g., examples/45-plugin-release.prose, lib/vm-improver.prose) utilize broad 'bash: allow' permissions to perform git operations, manage system files, and execute automated code fixes.
[CREDENTIALS_UNSAFE]: Documentation in state/postgres.md explicitly notes that PostgreSQL connection strings containing cleartext credentials are passed to subagent sessions and may be exposed in execution logs.
[PROMPT_INJECTION]: The skill ingests and processes untrusted external data (such as web content, other skills, and AI session logs) and interpolates this data into prompts for subagents. Ingestion points: lib/inspector.prose (run artifacts), examples/38-skill-scan.prose (other skills), examples/48-habit-miner.prose (AI logs). Boundary markers: Present in documentation via separators like '---', but the system lacks strict programmatic delimiters for untrusted content. Capability inventory: Extensive capabilities including 'bash: allow', network access, and broad filesystem read/write. Sanitization: Programmatic sanitization or escaping of interpolated data is not implemented.

prose