ClawHub

Prose

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenProse workflow-runner skill, but it can fetch and run remote workflows that spawn agents and persist local or database state without enough built-in trust controls.

Install only if you intentionally want an agentic workflow runner. Review any local, URL, registry, or imported .prose program before running it; avoid untrusted remote programs; keep secrets out of prompts, .prose state, and persistent memory; use a dedicated limited-privilege database if PostgreSQL state is enabled; and periodically inspect or clean .prose/ and ~/.prose/ state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The spec states that current state is tracked in conversation history, but elsewhere defines filesystem-backed persistence and binding storage paths. This inconsistency can cause an implementation or compiler to make unsafe assumptions about where state lives, potentially bypassing persistence, isolation, or collision safeguards described in other sections. In a workflow language that orchestrates subagents and persistent memory, contradictory state semantics materially increase the risk of data leakage, stale memory reuse, or incorrect security enforcement.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The block parameter section permits parameters to shadow outer variables, while the flat-namespace rule later says no shadowing is allowed because names collide in shared binding storage. That contradiction can produce ambiguous or divergent implementations, with one engine allowing shadowing and another overwriting outer bindings, leading to data corruption or unintended context substitution. In a language that passes prior outputs between agents, such name-resolution ambiguity has direct security and correctness consequences.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The loop documentation says loop variables can shadow outer variables with only a warning, but the flat-namespace rule says such collisions are compile errors due to shared binding names. This can cause implementers to accept programs that overwrite or mask security-relevant values, especially inside iterative workflows where prior outputs are reused as context. The result is unpredictable binding resolution and potential leakage or misuse of sensitive intermediate state.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The pipeline section allows implicit or explicit pipeline variables to shadow outer variables with a warning, which conflicts with the later rule that all bindings must be unique to avoid filesystem collisions. Because pipelines transform collections and feed results into later sessions, ambiguous variable resolution can silently substitute the wrong context or overwrite existing values. In this agent-orchestration language, that can change task inputs, leak prior results, or invalidate permission assumptions tied to data flow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation conditions are extremely broad, including any mention of 'OpenProse', 'prose program', certain syntax fragments, or any `prose` command. In an agent environment, this can cause the skill to activate outside the user's intended context and take over handling of unrelated prompts, increasing the chance of unsafe file access, remote fetches, or workflow execution without clear user intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The routing table ends with 'Other | Intelligently interpret based on context', which leaves command handling undefined for unmatched input. That ambiguity is risky in a skill that can read local files, fetch remote programs, and orchestrate multi-agent execution, because the model may overreach and interpret unintended inputs as actionable commands.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly supports fetching and executing `.prose` programs from arbitrary URLs and registry shorthands, but does not require a warning, trust check, integrity validation, or consent flow for untrusted remote content. Because the skill is designed to 'become the VM' and execute fetched instructions, this creates a direct prompt-injection and untrusted-code-execution pathway through remote content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill is configured to activate on broad natural-language mentions such as OpenProse mentions, not just explicit commands or file types. That increases the chance of unintended activation in unrelated conversations, causing the agent to load and follow this skill's orchestration guidance when the user did not clearly request it.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises persistent user-scoped and project-scoped memory and recommends a durable sqlite+ backend, but it does not clearly warn users that stored content may contain sensitive personal, organizational, or cross-project data that will be retained over time. In a multi-agent orchestration skill, this increases the chance that users enable persistence without understanding privacy, retention, consent, or data-mixing risks, which can lead to unintended disclosure or over-collection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This file explicitly instructs subagents to write bindings, memory, and segment files directly into the local filesystem under `.prose/...` paths. In an agent skill, guidance to persist arbitrary session output and memory without an explicit trust boundary, consent model, or safety constraints creates a real local-state modification capability that can be abused by malicious prompts, sensitive-data persistence, or unintended overwrite/accumulation of data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly allows fetching and executing `.prose` programs from arbitrary URLs and a remote registry, but provides no trust boundary, signature verification, allowlist, or warning that remote programs are untrusted code. In this skill's context, those fetched programs can drive subagent spawning, file I/O, web fetches, and persistent state, so treating remote content as executable workflow definitions creates a meaningful supply-chain and prompt-injection risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation encourages project- and user-scoped persistent agent memory, including cross-project storage under `~/.prose/agents/`, without warning about data retention, cross-context leakage, or accidental reuse of sensitive information. In a multi-workflow agent system, this can expose secrets, internal context, or prior task data to later sessions that should have been isolated.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly promotes persisting execution state, bindings, and agent memory to disk for inspection and resumption, but it does not warn that these files may contain prompts, model outputs, secrets, credentials, proprietary code, or personal data. In this skill context, that omission is security-relevant because the system is designed to capture and retain multi-agent workflow artifacts, increasing the chance that sensitive data is unintentionally written to durable storage and later exposed through backups, source control, local compromise, or shared workspaces.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The example `.prose/.env` stores telemetry status plus user and session identifiers in a predictable local file without any privacy notice, retention guidance, or access-control discussion. Even if the sample values are illustrative, documenting this pattern normalizes writing trackable identifiers to disk, which can enable user correlation, session tracking, and privacy leakage if the directory is shared, committed, or collected by other tooling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly describes fetching and invoking imported programs from a remote URL, but it does not require user consent, provenance verification, or a warning that prompts, inputs, and outputs may be transmitted to an external service. In an agent skill that orchestrates multi-agent workflows, this omission can cause unintentional data exfiltration and execution of untrusted remote logic.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file instructs the VM to persist execution state in conversation history and frames that as core behavior, but it does not warn that the transcript may retain sensitive inputs, intermediate reasoning-like artifacts, or operational metadata. In this skill context, conversation history is a broad and easily re-shared surface, so normalizing transcript persistence increases disclosure risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The text says the VM 'thinks aloud' and that what it says becomes what it remembers, which operationally encourages storing caller inputs and working state directly in natural-language transcript. That creates a clear leakage channel because sensitive data becomes part of visible conversational content and may later be reused, summarized, or transmitted.

Ssd 3

Medium
Confidence
98% confidence
Finding
The examples direct the system to log inputs received from the caller and outputs returned to the caller verbatim in the transcript. If those values include secrets, personal data, or proprietary task content, the skill itself causes disclosure by design rather than as an incidental implementation bug.

Ssd 3

Medium
Confidence
95% confidence
Finding
The context-passing guidance instructs the system to pass values verbatim when small and to summarize larger values into conversation-visible context. This still exposes sensitive state in the transcript and may spread confidential information across additional model calls or downstream agents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal