The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The automation script scripts/ralph invokes CLI tools with flags that explicitly disable safety and security permissions, specifically using --dangerously-skip-permissions for Claude and --dangerously-bypass-approvals-and-sandbox for Codex.
[COMMAND_EXECUTION]: The skill instructions in SKILL.md explicitly direct the agent to execute the command kill $PPID to terminate its parent process as a standard exit procedure, allowing for unmediated process control.
[COMMAND_EXECUTION]: The execution script scripts/ralph dynamically generates a temporary shell script in /tmp, modifies its permissions with chmod +x, and executes it in a background tmux session.
[PROMPT_INJECTION]: The SKILL.md file contains instructions that direct the agent to override standard operating procedures, such as 'You have authority. Trust the spec, don't ask permission', which encourages the agent to bypass human-in-the-loop safety checks.
[PROMPT_INJECTION]: A vulnerability to indirect prompt injection exists because the content of an external spec file is directly interpolated into the system prompt with minimal boundary markers and no sanitization. 1. Ingestion points: scripts/ralph reads the user-provided spec file (assets/spec.md). 2. Boundary markers: The content is wrapped in a simple header 'Ralph iteration $iteration. Spec: $SPEC_FILE' without strict delimiters or instructions to ignore embedded commands. 3. Capability inventory: The agent is granted full authority to perform file system operations, git commits, and shell command execution. 4. Sanitization: No input validation or sanitization is performed on the spec file content before processing.

ralph-loops