ralph-loop
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection because it establishes an autonomous loop that ingests untrusted data from the local filesystem to drive agent behavior. \n
- Ingestion points: .claude/ralph-loop.local.md, TODO.md, and all files referenced in the Context section. \n
- Boundary markers: Absent; the skill lacks delimiters or explicit instructions to ignore embedded commands in the processed files. \n
- Capability inventory: High; the agent is authorized to run arbitrary shell commands (Verification Commands) and modify files across the repository. \n
- Sanitization: Absent; external data is treated as instructional context without validation. \n- [COMMAND_EXECUTION] (HIGH): The core functionality relies on the execution of user-defined shell commands (e.g., pytest, build commands) within an autonomous cycle. If a state file or TODO.md is manipulated by a malicious process or payload, the agent will execute arbitrary code without a human-in-the-loop checkpoint. \n- [DATA_EXFILTRATION] (MEDIUM): Although no explicit exfiltration logic is present, the autonomous combination of read access to a codebase and the ability to execute network-capable commands (like curl or python) creates a high-risk surface for data theft if the agent is compromised via indirect injection.
Recommendations
- AI detected serious security threats
Audit Metadata