ralph-orchestrator
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a local bash script
scripts/ralph.shto manage an autonomous execution loop. - [COMMAND_EXECUTION]: Within
scripts/ralph.sh, the skill executes theclaudeCLI using the--dangerously-skip-permissionsflag. This explicitly disables the security guardrails that normally require a human to approve shell commands before they are executed. - [COMMAND_EXECUTION]: The autonomous agent is instructed to execute arbitrary commands defined in
tasks/prd.json(specificallyverificationCommandsandtestCommands). Since these commands are often generated by AI based on requirements gathering (spec-interview), they could be manipulated to execute malicious code if the initial requirements are poisoned. - [REMOTE_CODE_EXECUTION]: The pipeline architecture allows for a chain of execution where untrusted input in a SPEC or PRD document is transformed into executable commands in a JSON file, which are then run automatically with full system permissions by the orchestrator.
- [DATA_EXPOSURE]: The skill performs extensive file system operations, reading and writing sensitive project metadata, git logs, and source code. Combined with the lack of command permissions, this provides a path for unauthorized data access or exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata