ralph
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The orchestration script
scripts/ralph.shinvokes theclaudeandampCLI tools with flags that explicitly disable security and permission prompts (--dangerously-skip-permissionsand--dangerously-allow-all). This configuration allows the agent to execute arbitrary shell commands and perform file operations autonomously during its iteration loop. - [PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection as it processes untrusted user-provided PRDs into executable tasks.
- Ingestion points: The agent consumes tasks from
prd.json, which is a JSON conversion of an external markdown PRD provided by the user. - Boundary markers: The instructions in
scripts/CLAUDE.mdlack explicit delimiters or negative constraints to prevent the agent from following instructions embedded within the user story content itself. - Capability inventory: According to
scripts/CLAUDE.md, the agent is authorized to create git branches, modify any file in the repository to implement stories, and execute arbitrary shell commands for quality checks (lint, test, typecheck). - Sanitization: There is no evidence of sanitization or validation of the input PRD data before it is acted upon by the autonomous agent.
Audit Metadata