Skills
skills/basecamp/dev-skills/ralph-lisa-loop/Gen Agent Trust Hub

ralph-lisa-loop

Warn

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Modifies global configuration files to install persistent behavior.
  • Evidence: The skill requests permission to modify ~/.claude/settings.json to add a Stop hook pointing to scripts/stop-hook.sh.
  • [COMMAND_EXECUTION]: Uses elevated permissions for automated subagent tasks.
  • Evidence: Dispatches worker subagents using the Agent tool with mode="bypassPermissions" in references/guide.md to perform automated file modifications.
  • [DATA_EXFILTRATION]: Reads and writes sensitive local configuration data.
  • Evidence: Accesses ~/.claude/settings.json during the preflight phase and manages session state within the .claude/ directory.
  • [REMOTE_CODE_EXECUTION]: Orchestrates external code execution and analysis tools.
  • Evidence: Integrates with the Codex external reviewer via MCP or CLI (codex exec), allowing external processing of repository contents.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface.
  • Ingestion points: Processes repository source code, uncommitted changes, and feedback from the Codex external reviewer.
  • Boundary markers: The orchestrator utilizes structured summaries from subagents to limit direct exposure to raw artifact content.
  • Capability inventory: Automated subagents possess the ability to modify project files and execute scripts through the Agent tool.
  • Sanitization: The references/guide.md file acknowledges the risk of adversarial content in reviewer output, though the system remains vulnerable to sophisticated injection via processed data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 14, 2026, 06:33 AM