The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): Indirect Prompt Injection via settings files. In 'references/real-world-examples.md' (ralph-wiggum section), the 'stop-hook.sh' script extracts instructions from the body of '.claude/ralph-loop.local.md' and feeds them directly back to the agent as its next instruction via the 'reason' field. This creates a critical vulnerability where any untrusted content written to that file (e.g., from a malicious repository) can take control of the agent's behavior.
[COMMAND_EXECUTION] (HIGH): Cross-session command injection via tmux. The 'agent-stop-notification.sh' script in 'references/real-world-examples.md' uses 'tmux send-keys' to send data extracted from settings files to other terminal sessions. Because 'send-keys' simulates keyboard input, attacker-controlled variables like 'AGENT_NAME' can be used to execute arbitrary commands if they contain shell metacharacters and the target session is a shell prompt.
[COMMAND_EXECUTION] (MEDIUM): Shell injection in setup scripts. Both the swarm launch example and 'scripts/setup-ralph-loop.sh' use unquoted heredocs ('<<EOF') to write variables like '$PROMPT' and '$EXTRA_INSTRUCTIONS' to files. This causes the shell to evaluate any code within backticks or subshells in those variables during the file creation process.
[COMMAND_EXECUTION] (LOW): Fragile YAML parsing. Multiple scripts, including 'parse-frontmatter.sh' and 'read-settings-hook.sh', use 'sed' and 'grep' for parsing settings files. This is inherently unsafe compared to a proper YAML parser and can lead to field confusion or injection if the settings file is maliciously crafted.

Plugin Settings