steve2
Fail
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The file
templates/phase4-loop.mdcontains instructions to clone an untrusted repository fromgithub.com/frankbria/ralph-claude-code.gitand execute./install.sh, allowing for unverified remote code execution from a third-party source. - [COMMAND_EXECUTION]: In
SKILL.md, the skill uses theTasktool withmode: "bypassPermissions"to execute sub-tasks, which intentionally circumvents the security model and privilege boundaries designed to limit subagent actions. - [COMMAND_EXECUTION]: Setup instructions in
templates/phase0-equip.mdcreate asettings.local.jsonconfiguration file that grants the agent nearly unrestrictedBash(*)andSkill(*)permissions. - [EXTERNAL_DOWNLOADS]: The skill automatically installs multiple external tools, skills, and MCP servers from various remote sources during its setup phase without providing a mechanism for source verification or user approval.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. 1. Ingestion points: Untrusted data enters via the project description in
SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Full shell access (Bash(*)) andbypassPermissionsmode are enabled for the agent. 4. Sanitization: Absent; external content is interpolated directly into prompts for generating implementation plans and source code.
Recommendations
- AI detected serious security threats
Audit Metadata