The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it processes untrusted data from several sources that could be influenced by third parties:
Ingestion points: The agent fetches GitHub pull request comments (via gh api repos/<owner>/pulls/<n>/comments), PR metadata (via gh pr list), and a local steering file (.ralph-state/instructions.md) to determine its next actions.
Boundary markers: The skill logic does not employ delimiters or explicit instructions to distinguish between the agent's core instructions and the potentially malicious data fetched from external PR comments.
Capability inventory: The agent has extensive capabilities, including executing shell commands (using gh and git), modifying the local filesystem, and launching recursive sub-agent processes to perform tasks.
Sanitization: There is no evidence of validation or sanitization of the external content before it is used by the agent to plan and execute code fixes or PR management tasks.
[DATA_EXFILTRATION]: The runner script ralph-sprint.sh performs network operations to an external URL (CLAUDE_NTFY_URL) using curl to provide iteration status updates. Although intended for push notifications, this mechanism creates a network channel that could be exploited to exfiltrate sensitive summaries or configuration details if they are captured in the iteration's output summary.
[COMMAND_EXECUTION]: The automation script explicitly utilizes the --dangerously-skip-permissions flag when invoking the AI agent. This removes human-in-the-loop safety checkpoints, allowing the agent to execute shell commands and perform file modifications autonomously. This significantly increases the impact of a successful indirect prompt injection attack.

ralph-plot-sprint