ClawHub

OpenProse

Security checks across malware telemetry and agentic risk

Overview

OpenProse is a coherent multi-agent workflow skill, but it asks for enough execution, remote-loading, credential, and persistent-memory authority that users should review it carefully before installing.

Install only if you intentionally want a powerful agent workflow runner. Review any remote `.prose` file before running it, avoid user-scoped memory unless you want cross-project persistence, do not put secrets in prompts or persisted memory, and use PostgreSQL mode only with a dedicated low-privilege database and throwaway credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (29)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly maps remote fetch to `web_fetch` or `exec` with curl and later instructs checking PostgreSQL connectivity with `psql`, which expands the skill from orchestration guidance into network and shell execution. In a skill that can be auto-activated and execute user-supplied `.prose` programs, this increases the chance of unreviewed outbound requests, command execution, and interaction with sensitive configuration beyond what is minimally necessary.

Context-Inappropriate Capability

Low
Confidence
75% confidence
Finding
The documentation authorizes reading and using `~/.prose/agents/`, which is cross-project, user-scoped persistent state. That broadens the skill's access from project-local orchestration into home-directory data, creating a risk of unintended data exposure or cross-workspace persistence if a program or prompt causes the skill to inspect or reuse those agents.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill explicitly supports fetching and executing remote `.prose` programs from arbitrary URLs and a public registry, which turns a workflow skill into a remote code/instruction loader. In an agent setting, this enables prompt injection, untrusted capability expansion, and execution of attacker-controlled workflows without any trust boundary, allowlist, signature check, or user confirmation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Documenting `exec` with `curl` as an acceptable fetch path broadens the skill from orchestration into arbitrary shell-capable network access. That increases risk of command injection, uncontrolled outbound access, and bypass of safer platform-native fetch controls.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Cross-project memory stored under `~/.prose/agents/` creates durable state that can leak data between unrelated tasks and repositories. In a multi-project agent environment, that can expose sensitive context, secrets, or prior user data beyond expected scope.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The spec says the VM never holds full binding values, but later requires direct variable interpolation into prompts, which forces materialization of values into VM context. This contradiction can cause unintended data exposure, broken isolation assumptions, and accidental inclusion of large or sensitive bindings in downstream prompts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation conditions trigger on very broad phrases like any `prose` command, any OpenProse mention, generic multi-agent workflow requests, or syntax fragments. Overbroad activation is dangerous because it can unexpectedly load a powerful orchestration skill in unrelated contexts, increasing the odds of remote fetches, file access, or agent spawning without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The fallback rule to 'intelligently interpret based on context' leaves command handling underspecified for unrecognized inputs. In a capability-rich skill, ambiguous routing can cause the assistant to choose unsafe actions, load unexpected documents, or execute workflows the user did not clearly request.

Vague Triggers

Low
Confidence
92% confidence
Finding
The example invocation text is broad enough that a normal user request like asking to 'run the code review example' could unintentionally trigger the skill or cause example execution without strong disambiguation. In a skill pack that orchestrates multi-agent workflows, loose activation phrasing increases the chance of accidental execution paths, context confusion, or unexpected agent dispatch.

Vague Triggers

Low
Confidence
90% confidence
Finding
The activation guidance around 'Ask Claude to run any example' and similar phrasing lacks clear trigger constraints, making it plausible that conversational mentions of examples are interpreted as executable instructions. Because this skill is designed to activate on broad prose-related commands and orchestrate workflows, ambiguous guidance meaningfully raises the risk of unintended skill activation and agent actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes persistent cross-project and project-scoped memory, including durable storage via `sqlite+`, but does not warn users that sensitive personal, project, or proprietary data may be retained and later surfaced across runs. In an agent skill that orchestrates multi-agent workflows and persistent agents, the absence of explicit privacy, retention, and consent guidance increases the risk of unintentional collection, over-retention, and cross-context disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs subagents to write bindings, memory, and segment files directly to the filesystem, but it provides no user-consent, trust-boundary, or safety gating around those writes. In an agent setting, this creates a real side-effect surface where prompts or untrusted task content can cause persistent modification of local state, potentially enabling data leakage, tampering, or stealthy persistence through agent memory.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill normalizes remote fetch-and-execute behavior without warning that the fetched program is untrusted and may contain adversarial instructions. For an agent skill, omitting that warning materially increases the chance that users or downstream agents will treat remote content as safe to execute.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Persistent agent memory across runs, projects, and custom paths is presented as normal behavior without privacy, retention, or contamination warnings. This can lead to unintentional storage of sensitive user information and cross-run influence that users do not expect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly defines persistent storage of execution artifacts, agent memory, and user-scoped state in project and home directories, but it does not include any privacy notice, retention guidance, or safeguards for sensitive content. In this skill context, those files may contain prompts, outputs, identifiers, and cross-project memory, so silent persistence materially increases the risk of unintended data retention and privacy leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `.env` example includes telemetry status plus `USER_ID` and `SESSION_ID`, normalizing collection and storage of identifiers without any nearby warning about privacy, correlation, or data handling. In an agent-orchestration system, such identifiers can enable tracking across runs and potentially across projects, making the omission security-relevant rather than merely editorial.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The document explicitly says PostgreSQL credentials are visible to subagents and should be treated as non-sensitive, while also encouraging propagation of the connection string to spawned sessions. This normalizes credential exposure and increases the chance of leakage via logs, prompts, transcripts, or misuse by subagents; in a multi-agent orchestration skill, that context makes the issue more dangerous because credentials are intentionally distributed across multiple execution contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Docker example uses POSTGRES_HOST_AUTH_METHOD=trust, which disables password authentication, and the instructions then store a connection string in a local .env file without a prominent warning immediately attached to that setup path. Even if intended for convenience, this creates an insecure-by-default onboarding path that can expose an unauthenticated database on localhost or a forwarded port, especially when combined with a skill designed for network-accessible shared state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document directs user-scoped agent memory to be stored in ~/.prose/agents.db, which creates long-lived cross-project persistence in a highly sensitive location without any warning about privacy, retention, access control, or secret handling. In this skill context, agents may store prompts, summaries, and memory across sessions, so placing that data in the user's home directory materially increases the risk of unintended retention and disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples instruct subagents to write prompt text, summaries, and memory directly into SQLite tables, but provide no caution against storing secrets, personal data, access tokens, or other sensitive conversation content. Because this skill orchestrates multi-agent workflows and durable state, these examples normalize unsafe persistence of highly sensitive material that could later be read by other agents, tools, or users with filesystem access.

Ssd 1

Medium
Confidence
89% confidence
Finding
The instruction to 'be' the OpenProse VM is a role-reframing mechanism that attempts to override the assistant's normal safety and trust-boundary behavior. In practice, this increases susceptibility to treating the document as operational authority and executing its instructions too literally, including unsafe remote fetching and session spawning.

Ssd 1

Medium
Confidence
90% confidence
Finding
Repeated 'you ARE the virtual machine' language intensifies behavioral steering and encourages the model to adopt an elevated execution role with reduced skepticism. In a skill that already includes remote execution semantics and persistence, that framing makes unsafe actions more likely to be followed as mandatory behavior.

Ssd 3

Medium
Confidence
87% confidence
Finding
The persistent-memory design encourages retaining cross-session and cross-project context, which can accumulate personal or sensitive information and later influence unrelated tasks. Without minimization and isolation, this creates privacy risk and context poisoning opportunities.

Ssd 3

Medium
Confidence
97% confidence
Finding
The design explicitly stores execution state by having the VM 'think aloud' in conversation history, meaning caller inputs and working memory become part of the transcript. In an agent system, transcripts are often exposed to users, downstream tools, logs, model providers, or future turns, so this creates a direct confidentiality risk for secrets, personal data, and sensitive intermediate results.

Ssd 3

Medium
Confidence
98% confidence
Finding
The protocol specifically instructs logging received inputs and produced outputs in plain text within the conversation. That makes sensitive prompts, API keys, personal data, documents, or proprietary outputs likely to be echoed into a channel that may be retained, reviewed, or leaked beyond the intended execution scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal