← Back to Skills Marketplace

OpenProse

Name: OpenProse
Author: simbabuddy

by simbabuddy · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

411

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install open-prose

Description

OpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.

Usage Guidance

This skill is coherent with its purpose, but it lets the agent fetch and immediately execute .prose programs from arbitrary URLs (and recommends using curl/exec). That means a remote program could instruct the agent to read files, call external endpoints, or attempt to collect secrets. Before installing or enabling this skill: - Treat remote .prose programs as executable code. Only run programs from sources you trust. - Prefer reviewing fetched prose text before executing it (or request an explicit review step). - If you must allow remote runs, restrict allowed hosts/registries or add an allowlist (e.g., only p.prose.md or specific handles). - Consider sandboxing: run first in an environment without access to sensitive files, credentials, or network egress. - Confirm platform-level restrictions: does your agent runtime prevent exec/curl or restrict web_fetch? If exec is allowed, that increases risk. - Inspect the truncated/omitted files (state/sqlite.md, state/postgres.md, etc.) to see what state backends the skill will attempt to use and whether they reference credentials or connection strings. If you want me to, I can: (1) scan the remaining/truncated files for any explicit credential access or outbound endpoints; (2) list concrete mitigations to safely allow remote prose execution; or (3) produce a safe policy (allowlist/denylist + review step) you can use when enabling this skill.

Capability Analysis

Type: OpenClaw Skill Name: open-prose Version: 1.0.0 The OpenClaw AgentSkills skill bundle is classified as suspicious due to its inherent high-risk capabilities, which, while presented as features, create significant attack surfaces. Key indicators include instructions for the AI agent to use `exec` with `curl` for remote POST requests (`SKILL.md`, `prose.md`), direct execution of `psql` and `sqlite3` CLI commands for state management (`state/postgres.md`, `state/sqlite.md`), and fetching/executing remote `.prose` programs from arbitrary URLs or a registry (`SKILL.md`, `prose.md`). Although the skill includes warnings about credential visibility (`state/postgres.md`) and defines agent permissions (`compiler.md`), the direct instruction to execute powerful shell and network commands based on user-provided input (the `.prose` program) makes it highly vulnerable to prompt injection and supply chain attacks, potentially leading to remote code execution or unauthorized data access if exploited.

Capability Assessment

✓ Purpose & Capability

Name/description (OpenProse VM, orchestrate multi-agent workflows) align with the runtime instructions: loading prose.md, running/compiling .prose programs, and routing 'prose' commands. No unrelated binaries or credentials are requested.

⚠ Instruction Scope

SKILL.md explicitly instructs the agent to fetch `.prose` programs from arbitrary URLs or a registry shorthand and then 'load the VM and execute as normal.' It also recommends using web_fetch or falling back to exec with curl when POST is required. Executing fetched programs grants those remote programs the ability to direct the agent (including file I/O and network calls), which may enable data disclosure or other privileged actions. Activation triggers are broad (activate on any 'prose' mention, .prose files, or OpenProse mentions), increasing the chance of unintended invocation.

✓ Install Mechanism

No install spec and no code files that execute at install time; the skill is instruction-only, which minimizes install-time risk. The regex scanner had nothing to analyze.

ℹ Credentials

The skill declares no required environment variables or credentials (which is proportional). However, because it instructs the agent to fetch and execute remote programs (and references state backends like filesystem/sqlite/postgres in the packaged docs), those remote programs could request credentials or access environment variables at runtime — this is not declared here and could be unexpected.

✓ Persistence & Privilege

always:false and no special persistence or system-wide modifications are requested. The skill does not claim to modify other skills or global agent configuration in SKILL.md.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install open-prose
After installation, invoke the skill by name or use /open-prose
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial publish

Metadata

Slug open-prose

Version 1.0.0

License —

All-time Installs 6

Active Installs 6

Total Versions 1

Frequently Asked Questions

What is OpenProse?

OpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows. It is an AI Agent Skill for Claude Code / OpenClaw, with 411 downloads so far.

How do I install OpenProse?

Run "/install open-prose" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenProse free?

Yes, OpenProse is completely free (open-source). You can download, install and use it at no cost.

Which platforms does OpenProse support?

OpenProse is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenProse?

It is built and maintained by simbabuddy (@simbabuddy); the current version is v1.0.0.

More Skills