ralph
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from task descriptions and local progress files to define goals for subsequent agent iterations.
- Ingestion points: Reads task definitions from the
task_listtool and feature-specific context fromscripts/ralph/progress.txt. - Boundary markers: The skill lacks explicit delimiters or instructions to ignore potential commands embedded within the task descriptions or progress logs.
- Capability inventory: The agent has the ability to execute shell commands (bash), manage version control (git), and perform build/test operations (npm).
- Sanitization: There is no evidence of filtering, escaping, or validation of the ingested content before it is passed to the execution loop.
- [COMMAND_EXECUTION]: The skill core functionality relies on executing shell commands and scripts.
- It invokes local scripts such as
./scripts/ralph/ralph.shandscripts/ralph/ralph.tsusingnpx tsx. - It executes standard development commands including
npm run typecheck,npm test, and variousgitoperations. - While these are intended behaviors for a developer agent, they provide an execution surface for any instructions injected via indirect prompt injection vectors.
Audit Metadata