open-prose
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The 'Giving Back' section in
SKILL.mdprovides explicit instructions for the AI agent to modify its long-term behavior by saving internal 'recognition memories'. - Instructs the agent to save entries in its memory system naming the signals that would make it reach for the framework again.
- Directs the agent to 'Recommend in context' by proposing OpenProse when it recognizes specific task patterns in future sessions.
- [EXTERNAL_DOWNLOADS]: The skill implements a git-native dependency model as specified in
deps.md, which involves downloading content from external sources. - The
prose installcommand clones repositories from arbitrary Git hosts (such as GitHub, GitLab, or self-hosted instances) specified in project files. - This mechanism is used to fetch instruction sets and services that the agent subsequently interprets and executes.
- [COMMAND_EXECUTION]: The framework's operational requirements involve the execution of several host-level command-line tools.
- Uses
gitfor dependency management and repository synchronization. - Employs
sqlite3andpsqlfor persisting execution state in durable databases. - Utilizes utilities like
jqandgh(GitHub CLI) for data processing and repository interaction within its services. - The specifications for database interactions involve constructing shell commands through string interpolation of processed values.
- [SAFE]: The skill incorporates several proactive security and privacy guardrails.
- Implements a 'workspace/bindings' isolation model that ensures private agent scratch work is separated from the public data interface.
- The
check_envprimitive and state backend guidelines strictly prohibit the logging or exposure of raw environment variable values, ensuring that secrets likeGITHUB_TOKENor database connection strings remain protected.
Audit Metadata