ralph-lisa-loop
Fail
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill modifies the global agent configuration file (~/.claude/settings.json) to install a persistent "Stop" hook. This hook executes the stop-hook.sh script every time the agent attempts to stop, impacting behavior across all sessions.\n- [COMMAND_EXECUTION]: During preflight, the skill uses
claude mcp addto install and configure Model Context Protocol (MCP) servers on the host system.\n- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the @openai/codex package. This dependency originates from OpenAI, a well-known service, and is part of the intended reviewer backend.\n- [PROMPT_INJECTION]: The skill implements a dynamic loop by re-injecting prompts into the agent's context. The stop-hook.sh script returns a "block" decision to the agent along with a continuation prompt, effectively overriding the agent's lifecycle control.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection.\n - Ingestion points: Untrusted review data is ingested from the Codex model in every loop round (documented in references/guide.md).\n
- Boundary markers: The protocol does not use delimiters or instructions to ignore embedded commands in the review output.\n
- Capability inventory: The skill has high-privilege capabilities, including file system access, execution of CLI tools via codex exec, and management of global agent hooks.\n
- Sanitization: There is no sanitization or filtering of the external reviewer's output before it is parsed and processed.
Recommendations
- AI detected serious security threats
Audit Metadata