Trust Assessment
prose received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Remote Code Execution via Arbitrary URLs, Command Injection and Credential Exposure via PostgreSQL URL, Command Injection via `exec` with `curl` for Remote Fetch.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote Code Execution via Arbitrary URLs The skill instructs the LLM to fetch and execute `.prose` programs from arbitrary URLs provided by the user (e.g., `prose run <URL>` or `use <URL>`). This allows for remote code execution without apparent sandboxing or validation, posing a critical supply chain risk. An attacker could provide a malicious URL, leading the LLM to download and execute untrusted code. Implement strict validation and sandboxing for all remote code execution. Consider whitelisting trusted domains, requiring code signing, or executing remote programs in an isolated, read-only environment. Clearly define the security implications to the user. | LLM | SKILL.md:85 | |
| CRITICAL | Command Injection and Credential Exposure via PostgreSQL URL The skill instructs the LLM to use the `OPENPROSE_POSTGRES_URL` (which contains database credentials) directly in shell commands like `psql "$OPENPROSE_POSTGRES_URL" -c "SELECT 1"`. If `OPENPROSE_POSTGRES_URL` is user-controlled and contains shell metacharacters, it can lead to arbitrary command execution. Furthermore, the skill explicitly states these credentials are "visible in logs" and instructs the LLM to read them via `cat .prose/.env` and `echo $OPENPROSE_POSTGRES_URL`, exposing sensitive information to the LLM's context and potentially logs. Sanitize `OPENPROSE_POSTGRES_URL` before using it in shell commands to prevent command injection. Avoid echoing or `cat`ing sensitive environment variables directly into the LLM's context or logs. Use secure methods for credential management, such as dedicated secrets management tools, and ensure credentials are not exposed in logs or conversational history. If `psql` is necessary, use a library or tool that handles argument escaping securely. | LLM | SKILL.md:170 | |
| HIGH | Command Injection via `exec` with `curl` for Remote Fetch The skill explicitly maps 'Remote fetch' to 'OpenClaw `web_fetch` (or `exec` with curl when POST is required)'. Using the powerful `exec` tool with `curl` for network operations, especially when parts of the `curl` command (like the URL or headers) might be derived from user-controlled input, creates a significant command injection vulnerability. Malicious input could lead to arbitrary shell command execution. Avoid using `exec` with user-controlled input. If `curl` is necessary, ensure all parameters derived from untrusted sources are strictly validated and properly escaped for shell execution. Prefer using a dedicated `web_fetch` tool that handles HTTP requests securely without resorting to shell execution, or ensure the `exec` tool is sandboxed and has minimal permissions. | LLM | SKILL.md:24 |
Scan History
Embed Code
[](https://skillshield.io/report/48668edbbb2fcd4e)
Powered by SkillShield