open-prose

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports fetching and installing arbitrary git-hosted dependencies via prose install (see deps.md and the "Runtime Behavior" / "prose install" sections) into /deps/, and the VM/Forme then reads and executes .prose.md files from those third‑party repos as part of normal runs, so untrusted public repository content can directly influence execution and follow-up actions.