ralph-orchestrator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is designed to autonomously interpret and execute tasks from
PROMPT.md. If this file is populated by an untrusted source, it can contain instructions that hijack the agent's behavior to perform malicious actions on the host system. - COMMAND_EXECUTION (HIGH): The orchestrator is explicitly designed for 'automating development tasks' including file writing (
allow_file_write: true) and executing AI backends. This provides an attacker-controlled prompt with a direct path to execute arbitrary code or modify sensitive files until 'completion signals' are met. - EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the installation of an external, unverifiable Python package
ralph-orchestratorwhich is not from a trusted organization or repository. - INDIRECT_PROMPT_INJECTION (HIGH): Mandatory Evidence Chain:
- Ingestion points: Task requirements are read from
PROMPT.md. - Boundary markers: None identified; the agent processes the raw markdown content as its primary instruction set.
- Capability inventory: File writing, web search, state persistence (Git), and general shell-based development operations (implied by 'Created: main.py').
- Sanitization: No sanitization or safety filtering is mentioned for the input prompt content.
Recommendations
- AI detected serious security threats
Audit Metadata