Back to skill

Security audit

Prose

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate workflow-runner skill, but it can run remote workflows, spawn agents, persist data, and expose database credentials in ways users should review carefully.

Install only if you intentionally want an agentic workflow runner. Review local, URL, registry, and imported .prose programs before running them; avoid untrusted remote programs; keep secrets out of prompts and persistent memory; use a dedicated limited-privilege database if PostgreSQL state is enabled; and periodically inspect or clean .prose/ and ~/.prose/ state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The document states that current implementation state is tracked in-context, but elsewhere the specification repeatedly defines filesystem-backed persistence semantics for bindings, agent memory, imports, and collision rules. This inconsistency can cause implementers or downstream agents to apply the wrong storage model, leading to unintended persistence, stale memory reuse, namespace collisions, or leakage of prior execution data across runs.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document explicitly states that the PostgreSQL connection string is passed to spawned subagents, which unnecessarily broadens database access to less-trusted execution contexts. In an agent framework, subagents may leak, misuse, or exfiltrate credentials through logs, prompts, or unintended tool use, making this a real confidentiality and integrity risk.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Cross-run project/user-scoped memory increases the persistence and reach of data available to agents beyond a single execution, expanding the blast radius of any prompt leakage, compromise, or misuse. In a multi-agent orchestration context, retaining shared memory across runs can unintentionally accumulate sensitive user or project information accessible to later sessions.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation criteria are extremely broad: any mention of 'prose', '.prose' files, or loosely related workflow intent can trigger the skill. In a multi-skill environment, this can cause unintended activation on ordinary conversation, increasing the chance that the agent follows this skill's powerful orchestration and remote-fetch behaviors without clear user intent.

Vague Triggers

Low
Confidence
73% confidence
Finding
The fallback route for 'Other' commands tells the skill to interpret unspecified commands based on context, which creates ambiguity and expands behavior beyond a well-defined command set. That makes misrouting and accidental execution more likely, especially when paired with the skill's ability to fetch remote content and orchestrate subagents.

Vague Triggers

Low
Confidence
91% confidence
Finding
The phrase inviting users to 'run any example' is broad enough that ordinary conversational requests could unintentionally activate example execution behavior. In a skill pack that orchestrates multi-agent workflows and can execute referenced .prose files, ambiguous invocation language increases the chance of accidental triggering and unintended workflow execution.

Vague Triggers

Low
Confidence
94% confidence
Finding
The documentation explicitly tells users to 'run any example' and provides natural-language trigger phrases without defining strict activation constraints. Because this skill activates on any `prose` command, .prose files, or OpenProse mentions, the broad trigger scope makes accidental or context-driven execution more likely, especially in mixed conversational settings.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes cross-project and project-scoped persistent memory, including durable storage via `sqlite+`, but does not warn users about privacy, retention, or the risk of storing sensitive data. In an agent skill that orchestrates multi-agent workflows, persistent memory can quietly accumulate secrets, personal data, or proprietary project information across runs, increasing the chance of unintended disclosure or over-retention.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly supports fetching and executing remote `.prose` programs from arbitrary URLs and registry shorthands, but provides no trust boundary, origin validation, signature verification, or user-consent safeguard. In an agent-execution skill, this is dangerous because remote programs are effectively untrusted prompt/code that can induce tool use, data exfiltration, or unsafe workflow execution through the VM semantics.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly persists telemetry state plus user and session identifiers in `.prose/.env`, but provides no consent, minimization, retention, or privacy warning. In a multi-agent orchestration system that writes extensive run artifacts to disk, storing identifiers alongside execution state increases the chance of user tracking, accidental disclosure, and unintended correlation across runs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The design persists execution artifacts and agent memory to project and home directories, including cross-project user-scoped memory in `~/.prose/agents/`, without any visible user-facing warning or consent model. Because these files may contain prompts, outputs, decisions, and other sensitive context, the persistence model creates a real privacy and data exposure risk, especially on shared machines, synced home directories, or repositories where `.prose/` may be committed accidentally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly states that conversation history is the VM's working memory, but it does not warn users that prompts, inputs, outputs, and intermediate values may be retained in visible chat history. In a multi-agent orchestration skill, this can cause sensitive user data to be echoed, preserved, and later exposed through summaries, context passing, or transcript review.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
Telling users to treat exposed database credentials as non-sensitive normalizes unsafe secret handling and materially increases the chance that credentials will be logged, shared, committed, or reused insecurely. Even if intended for a dedicated database, such credentials still grant real access and can enable data disclosure, tampering, or lateral misuse if permissions are broader than expected.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The recommended Docker example enables PostgreSQL trust authentication, which permits connections without password verification and is unsafe outside tightly controlled local-only testing. Presenting it as the fastest recommended path without a strong warning encourages insecure deployments that may be exposed via port forwarding, shared hosts, or misconfigured networks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs use of project-scoped and especially user-scoped databases that persist across runs, including storage in ~/.prose/agents.db, without an explicit warning about retention, cross-project data mixing, or privacy implications. In a multi-agent orchestration skill, persistent memory can silently carry sensitive prompts, outputs, or secrets into later runs and unrelated projects, increasing the risk of unintended disclosure or context contamination.

Ssd 3

Medium
Confidence
97% confidence
Finding
The core design instructs the VM to persist state by 'thinking aloud' in natural language, which directly encourages storing caller inputs and working values in the transcript itself. Because this skill orchestrates workflows and imported programs, retained state can propagate across steps and increase the chance of inadvertent disclosure to users, tools, or later agent turns.

Ssd 3

Medium
Confidence
98% confidence
Finding
The examples show caller-provided inputs and outputs being logged verbatim in visible narration, normalizing disclosure of potentially sensitive data. Example-driven instructions are especially influential in agent behavior, so this materially increases the chance that real executions will echo confidential values into the conversation.

Ssd 3

Medium
Confidence
96% confidence
Finding
The context serialization section directs the model to pass values verbatim when small and summarized otherwise, which still promotes broad propagation of sensitive conversation-held state. Summarization does not reliably remove secrets, and repeated reuse of serialized context can spread sensitive information across sessions, sub-agents, and outputs.

Ssd 3

Medium
Confidence
88% confidence
Finding
Persisting prompts, agent memory, and project/user context in shared storage creates a durable repository of potentially sensitive natural-language data that may contain secrets, proprietary material, or personal information. In this skill's multi-agent setting, that retention increases exposure through later reads, bulk queries, backups, and cross-run reuse.

Ssd 3

Medium
Confidence
86% confidence
Finding
The resume workflow recommends bulk retrieval of all bindings and agent memory, which can unnecessarily surface the full accumulated dataset to the resuming context. That increases the impact of compromise or accidental disclosure by concentrating sensitive execution, project, and user data into a single operation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.