Prose Andy27725

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenProse workflow runner, but it needs review because it can run remote workflows, spawn agents, persist local and cross-project state, and expose database credentials to subagents.

Install only if you intentionally want an agentic workflow runner. Treat local and remote .prose files like executable code: review them and their imports first, avoid untrusted URLs, keep secrets and regulated data out of prompts and persisted memory, prefer project-local state over ~/.prose user memory, clear stored state when needed, and use only dedicated short-lived or limited-privilege PostgreSQL credentials if enabling the experimental database backend.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (21)

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The spec declares a flat namespace with no shadowing because bindings map to shared names, but later sections permit scoped shadowing in loops, blocks, and pipelines. That contradiction can cause variable capture, overwritten bindings, or execution against the wrong data, especially in a multi-agent orchestration language where context determines agent behavior and authorization decisions.

Intent-Code Divergence

High

Confidence: 93% confidence
Finding: The execution model says state is tracked only in conversation context, yet other sections define persistent agents, filesystem-backed memory, and binding directories. This mismatch is dangerous because operators, reviewers, or downstream tools may assume ephemeral state while the system actually retains data across runs or writes to disk, creating unintended data retention, cross-run contamination, and possible exposure of sensitive information.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The prompt explicitly enables optional SQLite and PostgreSQL state backends, which expands the skill from orchestration into live database interaction. Even if framed as experimental, this increases the chance that untrusted .prose programs trigger reads or writes against local or networked databases, creating unnecessary data exposure and side-effect risk relative to the manifest's narrower orchestration purpose.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill activates on extremely broad triggers such as any `prose` command, any mention of 'OpenProse', and generic requests about reusable workflows or multi-agent orchestration. This can cause unintended takeover of unrelated user requests, increasing the chance that the skill loads risky execution logic or fetches remote content without the user explicitly asking for this capability.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The fallback rule tells the agent to 'intelligently interpret based on context' for unspecified commands, which creates ambiguous authority to route actions beyond a tightly defined command set. In a skill that can fetch URLs, load additional docs, and execute multi-agent workflows, ambiguity materially increases the risk of unsafe or surprising behavior.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation rule says to load this skill on any `prose` command, `.prose` file, or generic OpenProse mention, which is broader than necessary for a help file. That can cause unintended invocation in unrelated conversations, increasing the chance that the agent follows workflow guidance or loads additional files when the user only mentioned OpenProse incidentally.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README advertises persistent cross-project and project-scoped memory that stores user preferences, decisions, mistakes, and institutional knowledge, but it does not provide an explicit privacy warning, retention policy, or guidance on handling sensitive data. In a multi-agent workflow system, this omission can lead users to persist secrets, personal data, or confidential project information without understanding the durability and scope of storage.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly supports fetching and executing remote `.prose` programs from arbitrary URLs and registry shorthands, but provides no trust boundary, origin validation, integrity verification, or user-consent warning. In an agent skill that orchestrates subagents, file I/O, remote fetches, and execution semantics, this materially increases the risk of prompt injection, unsafe tool use, and execution of attacker-controlled workflows.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: User-scoped persistent memory is described as surviving across projects on the machine, but the documentation omits any privacy, data-minimization, or consent guidance. That can lead to unintended cross-project data retention and leakage, especially when agents later resume with memory that may contain sensitive material from unrelated workspaces.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly prescribes persistent storage of execution state, bindings, and agent memory in both project-local `.prose/` and user-home `~/.prose/` directories, but it does not include safeguards, consent requirements, retention limits, or warnings about sensitive data capture. In this skill context, that is materially risky because prompts, outputs, memory, and cross-project agent state can contain secrets, proprietary code, or personal data that become silently durable and inspectable on disk.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The document explicitly says database credentials passed to subagents should be treated as non-sensitive because they may be exposed in context and logs. That guidance normalizes credential disclosure and materially increases the chance operators will use reusable or broader-scope credentials, leading to unauthorized database access, data tampering, or persistence abuse if subagents, logs, or external tooling are compromised.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document directs user-scoped agent memory to be stored persistently in ~/.prose/agents.db but does not warn that this data survives across projects and may contain sensitive prompts, outputs, or derived secrets. In an agent framework, silent long-term cross-project retention increases the chance of privacy leakage, unintended data reuse, and exposure via local compromise or backup/sync systems.

Ssd 1

Medium

Confidence: 97% confidence
Finding: The instruction that the model 'becomes' the VM is classic identity-framing that encourages the assistant to treat the spec as a higher-order runtime role rather than as untrusted content to interpret. This can weaken normal safety boundaries, especially when combined with later instructions to execute programs, fetch remote content, and spawn sessions.

Ssd 1

Medium

Confidence: 96% confidence
Finding: The execution section repeatedly instructs the assistant to 'become' the OpenProse VM and to treat its conversation and tools as the machine's instructions and memory. This deepens the identity override risk by operationalizing the framing into concrete behavior, making it more likely the agent will follow program-defined semantics over normal assistant constraints.

Ssd 1

Medium

Confidence: 88% confidence
Finding: Telling the model it 'embodies' or 'is' the VM encourages identity-level role adoption that can weaken normal assistant boundary reasoning. In a skill whose purpose is to execute workflows and spawn subagents, this framing can make the model more likely to follow in-band program instructions as operational directives rather than treat them as untrusted content.

Ssd 1

Medium

Confidence: 90% confidence
Finding: The repeated 'you are the VM' and 'you perform it' framing reinforces elevated execution-role behavior across the skill. In context, this is more dangerous because the same file also grants authority to spawn sessions, manage persistent state, and fetch/import remote programs, increasing the chance that the model over-trusts procedural text and executes risky actions without adequate skepticism.

Ssd 3

Medium

Confidence: 97% confidence
Finding: This file explicitly defines a design where execution state is persisted by narrating it into the conversation itself. That causes caller inputs, intermediate values, and outputs to be copied into model-visible chat history, increasing the chance of sensitive data retention, prompt leakage, and accidental disclosure in later turns or summaries.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Stating that conversation history is the VM's working memory encourages broad storage of all exchanged content, including sensitive user-provided data and derived internal state. In an agent framework, that materially raises the risk of cross-step exposure, inadvertent replay, and leakage through debugging or downstream prompt construction.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The narration protocol requires recording received inputs in text, which means secrets, personal data, or proprietary content from the caller may be reproduced verbatim in persistent conversational logs. Once present in-context, that data can be exposed by later generations, tool calls, transcript review, or model debugging behavior.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The examples normalize logging caller inputs and outputs directly in conversation-visible form, which operationalizes unsafe handling rather than merely describing it abstractly. Concrete examples are especially risky in a skill pack because they shape implementation behavior and make broad data exposure the default pattern.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Requiring input bindings to be tracked as retained caller values institutionalizes broad capture of user-provided data in model-visible state. In this skill context, where the document instructs a VM how to operate, that makes unsafe data retention systemic rather than incidental.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal