OpenProse

OpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.

This skill is coherent with its purpose, but it lets the agent fetch and immediately execute .prose programs from arbitrary URLs (and recommends using curl/exec). That means a remote program could instruct the agent to read files, call external endpoints, or attempt to collect secrets. Before installing or enabling this skill: - Treat remote .prose programs as executable code. Only run programs from sources you trust. - Prefer reviewing fetched prose text before executing it (or request an explicit review step). - If you must allow remote runs, restrict allowed hosts/registries or add an allowlist (e.g., only p.prose.md or specific handles). - Consider sandboxing: run first in an environment without access to sensitive files, credentials, or network egress. - Confirm platform-level restrictions: does your agent runtime prevent exec/curl or restrict web_fetch? If exec is allowed, that increases risk. - Inspect the truncated/omitted files (state/sqlite.md, state/postgres.md, etc.) to see what state backends the skill will attempt to use and whether they reference credentials or connection strings. If you want me to, I can: (1) scan the remaining/truncated files for any explicit credential access or outbound endpoints; (2) list concrete mitigations to safely allow remote prose execution; or (3) produce a safe policy (allowlist/denylist + review step) you can use when enabling this skill.

Type: OpenClaw Skill Name: open-prose Version: 1.0.0 The OpenClaw AgentSkills skill bundle is classified as suspicious due to its inherent high-risk capabilities, which, while presented as features, create significant attack surfaces. Key indicators include instructions for the AI agent to use `exec` with `curl` for remote POST requests (`SKILL.md`, `prose.md`), direct execution of `psql` and `sqlite3` CLI commands for state management (`state/postgres.md`, `state/sqlite.md`), and fetching/executing remote `.prose` programs from arbitrary URLs or a registry (`SKILL.md`, `prose.md`). Although the skill includes warnings about credential visibility (`state/postgres.md`) and defines agent permissions (`compiler.md`), the direct instruction to execute powerful shell and network commands based on user-provided input (the `.prose` program) makes it highly vulnerable to prompt injection and supply chain attacks, potentially leading to remote code execution or unauthorized data access if exploited.