Skills
skills/basecamp/house-skills/ralph-lisa-loop/Gen Agent Trust Hub

ralph-lisa-loop

Fail

Audited by Gen Agent Trust Hub on Apr 6, 2026

Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: The skill reads and modifies the agent's platform configuration file (~/.claude/settings.json). This file is a sensitive resource containing environment details, platform configuration, and potentially authentication settings.\n- [COMMAND_EXECUTION]:\n
  • The skill installs a persistent command hook (scripts/stop-hook.sh) in the agent's platform settings. This hook executes every time the agent session ends, allowing the skill to maintain persistent control by re-injecting prompts and forcing the agent to continue tasks automatically.\n
  • The skill utilizes the Agent tool with mode="bypassPermissions" when dispatching worker subagents. This escalates the subagents' capabilities, allowing them to read and write to the file system without the standard user confirmation or permission checks typically enforced by the agent platform.\n
  • The orchestrator executes various administrative shell commands, such as adding MCP servers to the agent's configuration and running local validation scripts.\n- [PROMPT_INJECTION]:\n
  • The skill is vulnerable to indirect prompt injection as it is designed to ingest and process unverified content from repository files through its review cycle. While it attempts to parse output into a ledger, malicious repository content could influence the subagent or external reviewer logic.\n
  • Ingestion points: Repository files at artifact_path and content within the project directory.\n
  • Boundary markers: Uses a structured session file and findings ledger, but lacks isolation between external review content and agent-level instructions.\n
  • Capability inventory: Subagents have high-privilege file access (bypassPermissions) and can trigger code execution via Codex reviewers.\n
  • Sanitization: The orchestrator parses natural language response text into a structured findings table.\n- [EXTERNAL_DOWNLOADS]: The skill manages external dependencies by instructing the installation of packages from the npm registry and configuring remote MCP services to perform code and plan reviews.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 6, 2026, 01:51 PM