prose

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs checking and echoing .prose/.env and $OPENPROSE_POSTGRES_URL and running psql with that connection string (and gives examples with plaintext user:pass), which requires reading and potentially outputting secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the VM to fetch and execute .prose programs from arbitrary http(s) URLs and registry paths (see "Remote Programs" and "Use statements" which resolve to https://p.prose.md/{path}), so untrusted third‑party content is ingested and can directly influence execution and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly fetches and executes remote .prose programs at runtime (e.g. https://raw.githubusercontent.com/openprose/prose/main/skills/open-prose/examples/48-habit-miner.prose and registry-resolved URLs like https://p.prose.md/@handle/slug), and those fetched files become prompts/instructions for the VM, so they directly control agent behavior.