The Agent Skills Directory

[COMMAND_EXECUTION]: The runner script ralph-sprint.sh defaults to executing the AI agent with the --dangerously-skip-permissions flag. This configuration bypasses built-in security prompts for tool execution, allowing the agent to perform potentially destructive actions such as file modifications and shell commands without explicit human consent for each iteration.
[PROMPT_INJECTION]: The skill implements an Instruction Injection mechanism where content from .ralph-state/instructions.md is directly prepended to the agent prompt as a HUMAN OVERRIDE. This creates a vector for malicious instructions to be introduced into the agent context if the local file system is compromised or if untrusted processes can write to that directory.
[DATA_EXFILTRATION]: The script ralph-sprint.sh contains a notify function that transmits sprint summaries, metadata, and session IDs to an external server specified by the CLAUDE_NTFY_URL environment variable. While this is an intended notification feature, it establishes an automated channel for project data transfer to a remote service.
[PROMPT_INJECTION]: The skill processes external data, including GitHub Pull Request comments and project documentation (docs/definition-of-done.md), without sufficient sanitization or instruction-isolation boundaries. This exposes the agent to indirect prompt injection attacks where malicious content in a PR could influence the agent's behavior during a sprint iteration.

ralph-plot-sprint