ralph
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerability to Indirect Prompt Injection through untrusted external data processing.
- Ingestion points: The skill takes a PRD (markdown file or text) as input to generate the
prd.jsonfile. - Boundary markers: No boundary markers or instructions to ignore embedded commands within the input PRD are present in the skill definition.
- Capability inventory: The skill produces a plan (
prd.json) that directs the Ralph autonomous system to modify the file system, execute shell scripts (ralph.sh), and perform browser automation (dev-browserskill). - Sanitization: There is no evidence of sanitization, validation, or escaping of the content extracted from the PRD before it is interpolated into the
userStoriesandacceptanceCriteriafields of the output JSON. - [COMMAND_EXECUTION] (LOW): The skill instructions assume the existence of a local orchestration script.
- Evidence: References to
ralph.shin the 'Archiving Previous Runs' section. While the MD doesn't execute it directly, the workflow depends on it.
Recommendations
- AI detected serious security threats
Audit Metadata