ralph-prd
Fail
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation (SKILL.md) references a script (ralph.sh) designed to run an autonomous loop using the --dangerously-skip-permissions flag, which explicitly directs the system to bypass standard security and permission checks.
- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection where untrusted user input from discovery questions is interpolated into tasks.json and prd.md templates. (1) Ingestion points: User responses to discovery questions in SKILL.md and WORKFLOW.md. (2) Boundary markers: Absent in the generated tasks.json and prompt.md files. (3) Capability inventory: The agent is instructed to execute shell commands such as npm, curl, and playwright-cli in the prompt.md.template. (4) Sanitization: Absent; input is used directly to create executable task steps.
- [COMMAND_EXECUTION]: The troubleshooting guide (TROUBLESHOOTING.md) suggests using destructive commands like rm -rf, which poses a higher risk in an autonomous environment without manual oversight.
Recommendations
- AI detected serious security threats
Audit Metadata