ralph-tdd
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The orchestration script
scripts/ralph-tdd.shexecutes the AI agent (Claude or Codex) using flags that explicitly disable all security and permission prompts (--dangerously-skip-permissionsfor Claude Code and--dangerously-bypass-approvals-and-sandboxfor Codex). This configuration enables the agent to execute any arbitrary shell command on the host system autonomously. - [EXTERNAL_DOWNLOADS]: The documentation encourages the installation of external AI skills from third-party sources (e.g.,
npx skills add mattpocock/skills@tdd), which introduces unverified code into the development environment. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it incorporates external, untrusted data into a high-privilege autonomous loop.
- Ingestion points: The agent is instructed to read from
.ralph/progress.md,.ralph/lessons.md, and external backlog sources such as Linear teams, GitHub issues, or local PRD files. - Boundary markers: The system prompt in
scripts/ralph-tdd.shdoes not use delimiters or instructions to isolate untrusted backlog data from the agent's core instructions. - Capability inventory: The agent has unrestricted shell access and filesystem permissions due to the 'full-auto' flags used in the script.
- Sanitization: There is no evidence of sanitization or validation of the content retrieved from the backlog sources before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata