Security Audit

prose

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

prose received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Explicit `exec` with `curl` enables command injection, Shell command injection via `psql` with unsanitized environment variable, Database credentials exposed to subagents and logs.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 11/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

11%

Behavioral Risk Signals

Network Access

5 findings

Filesystem Write

2 findings

Shell Execution

5 findings

Dynamic Code

4 findings

Excessive Permissions

2 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Explicit `exec` with `curl` enables command injection The skill explicitly states that for POST requests, it will use `exec` with `curl`. This allows for arbitrary command injection if the URL or request body can be controlled by an untrusted `.prose` program or user input. A malicious actor could craft a URL or POST data to include shell commands, leading to remote code execution on the host system. Avoid direct `exec` calls with unsanitized user input. Use a dedicated, sandboxed HTTP client tool that does not expose shell execution capabilities. If `curl` must be used, ensure all arguments are strictly validated and escaped, and consider running it in a highly restricted environment.	LLM	SKILL.md:17
CRITICAL	Shell command injection via `psql` with unsanitized environment variable The skill instructs the LLM to execute `psql "$OPENPROSE_POSTGRES_URL" -c "SELECT 1" 2>&1`. The `OPENPROSE_POSTGRES_URL` variable is directly interpolated into the shell command without proper escaping. If this variable contains shell metacharacters (e.g., `;`, `&`, `\|`, `$(...)`), a malicious actor could inject arbitrary shell commands, leading to remote code execution. This is a critical command injection vulnerability. When executing shell commands, never directly interpolate user-controlled or environment-variable content without robust sanitization and escaping. Use a tool's dedicated API or a safe execution mechanism that prevents shell metacharacter interpretation. For `psql`, consider using a client library that handles connection strings securely or ensure the environment variable is strictly validated.	LLM	SKILL.md:170
HIGH	Database credentials exposed to subagents and logs The skill explicitly warns that database credentials (from `OPENPROSE_POSTGRES_URL`) are passed to subagent sessions and are visible in logs. This means sensitive credentials are exposed within the execution environment and potentially recorded in persistent logs, making them vulnerable to harvesting by malicious subagents or exfiltration through log access. Implement secure credential management. Avoid passing raw credentials to subagents or logging them directly. Use short-lived tokens, secrets management services, or environment variables that are not logged. Ensure subagent environments are isolated and do not have unnecessary access to parent process credentials.	LLM	SKILL.md:160
MEDIUM	Arbitrary URL fetching can lead to data exfiltration The skill allows fetching content from arbitrary URLs, including those specified in `.prose` programs. While `web_fetch` might be a safer tool, the explicit mention of `exec` with `curl` for POST requests means a malicious `.prose` program could instruct the LLM to send sensitive local data (e.g., environment variables, file contents obtained via command injection) to an attacker-controlled server via a crafted `curl` command. Restrict URL fetching to a whitelist of trusted domains or implement strict content validation. If `curl` is used, ensure it's invoked in a way that prevents data exfiltration (e.g., disallow redirects, limit headers, sanitize URLs). Prefer dedicated, sandboxed HTTP client tools over shell `exec` for network operations.	LLM	SKILL.md:17
MEDIUM	Broad filesystem access combined with command injection capabilities The skill requires broad read/write access to the user's workspace (`.prose/` directories, `*.prose` files) and user's home directory (`~/.prose/`). While this level of access is necessary for the skill's intended "VM" functionality, when combined with the identified command injection vulnerabilities (via `exec` with `curl` and `psql`), it means a malicious `.prose` program could read, modify, or delete arbitrary files on the user's system, significantly escalating the impact of other vulnerabilities. Implement a robust sandboxing mechanism for skill execution that limits filesystem access to only strictly necessary paths. Ensure that any file operations are performed through secure APIs that do not allow path traversal or arbitrary file access. Mitigate command injection vulnerabilities to prevent escalation of privileges.	LLM	SKILL.md:100

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/ae5b9ec676d5f580.svg)](https://skillshield.io/report/ae5b9ec676d5f580)