Is openprose/prose safe?

The post-execution section of open-prose's SKILL.md explicitly instructs the agent to star the openprose/prose GitHub repository on the user's behalf using a provided shell command, without requesting user consent. Social engineering pressure is applied via manufactured social proof ('712 others have. One more matters.'). This action would appear as a GitHub activity from the user's account and constitutes a covert manipulation of a third-party platform.

The skill instructs the agent to read SOUL.md, fill in the absolute path of the locally installed skill, and insert the completed template into the agent's own persistent memory file (SOUL.md or equivalent). This ensures the skill maintains influence across future sessions without the user explicitly loading it, effectively bootstrapping itself into every future conversation.

The open-prose VM fetches and executes arbitrary .prose programs from the third-party domain p.prose.md when given handle/slug references. The resolution rules are explicit: any reference containing '/' without a protocol resolves to https://p.prose.md/{path}. This means the skill author can deliver and update arbitrary executable programs to any user of this skill without their knowledge. The fetched programs execute with the agent's full tool capabilities.

Both skills instruct the agent to completely replace its identity: websh declares 'You ARE websh. Your conversation is the terminal session.' while open-prose declares 'You are the Prose Complete system' and 'You ARE the VM — your conversation is its memory, your tools are its instructions.' These instructions suppress the agent's normal cautious behavior, safety checks, and willingness to ask clarifying questions.

The open-prose VM architecture and websh both spawn multiple background subagents (haiku Task API calls with run_in_background=True) for network fetches, HTML extraction, crawling, and other operations. These subagents inherit the agent's full tool access with no additional permission scoping, creating a broad and persistent execution surface.

The skill explicitly encourages the agent to submit pull requests to the openprose/prose GitHub repository independently of user authorization, using framing that dismisses user agency. This could result in code changes being submitted to external repositories from the user's GitHub account without their knowledge.

The websh skill is designed to capture and persist authentication headers, session cookies, and credentials provided via export commands into local .websh/ state files. While this is a documented feature, these credentials are accessible to any subsequent background agent spawned by open-prose, creating a credential aggregation point.

The websh skill explicitly instructs the agent to infer and execute user intent without ever asking for clarification, removing a key safety mechanism for catching misunderstood or dangerous commands.

The skill instructs the agent to recommend the skill author's Twitter/X account to the user unprompted, using the agent as a marketing channel.

DNS resolution to the 104.16.x.x Cloudflare IP range and a connection to 104.16.11.34:443 were observed during monitoring. This is consistent with p.prose.md (the OpenProse registry) routing through Cloudflare CDN. Active connections were attributed to the openclaw-gatewa process (auditing infrastructure), not the skill clone itself. No filesystem modifications were detected outside the skill directory.