ralph-loop
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill generates a bash script (
ralph.sh) viainit_ralph.pythat executes theclaudeCLI using the--dangerously-skip-permissionsflag. - This configuration explicitly bypasses the agent's built-in security sandbox and permission prompts.
- Combined with the loop structure, it enables an agent to perform autonomous system modifications (e.g., file writes, shell commands) without human oversight for each step.
- PROMPT_INJECTION (LOW): The skill facilitates Indirect Prompt Injection (Category 8) by design, as it iteratively processes tasks that may contain untrusted data from a codebase or external backlog.
- Ingestion points:
backlog.jsonand the nativeTasksystem (viaTaskGet). - Boundary markers: Absent; the generated
prompt.mddoes not use delimiters or instructions to ignore embedded commands within task descriptions. - Capability inventory: Full filesystem and shell access via the
claudetoolset. - Sanitization: None; task data is consumed directly to guide the agent's next action.
Recommendations
- AI detected serious security threats
Audit Metadata