prose

The OpenProse skill is coherently aligned with its goal of VM-like prose execution and multi-agent orchestration, but it introduces meaningful security risks due to remote code fetch/execute flows and credential handling that can appear in logs. To reduce risk, enforce strict provenance controls, avoid logging sensitive credentials, sandbox remote program execution, and require explicit user approval for remote fetch/run operations.

The file is a detailed VM/runtime specification that intentionally enables execution of fetched programs and spawning of subagents with access to local and persistent state. The specification text itself contains no obfuscated code or built-in malware, but its described semantics (remote program execution, direct subagent access to local files and agent memory, recommended use of exec/curl) create a moderate security risk if implemented without strict sandboxing, provenance verification, and network/filesystem access controls. Treat runs importing or executing remote .prose programs as untrusted by default, require signing/validation and capability restrictions, and limit persistent agent paths to reduce risk of data leakage and RCE.