ralph-status
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Privilege Escalation (HIGH): Step 2 explicitly instructs the user or agent to use
sudo apt install sqlite3. Requesting root privileges is a high-risk operation. - Data Exposure & Exfiltration (HIGH): Step 7 (Choice B) starts a Python HTTP server (
python -m http.server 8080) in the current directory. This server has no authentication and exposes all files in the working directory (including the database, source code, and potentially sensitive environment files) to the local network or internet. - Indirect Prompt Injection (HIGH): The skill implements an attack surface for indirect prompt injection.
- Ingestion points: Data is ingested from
ralph.dbviasqlite3queries (Step 4). - Boundary markers: There are no boundary markers or instructions to treat database content as untrusted data.
- Capability inventory: The skill uses the
Bashtool and describes an autonomous loop to "Implement the task" and "Run tests" based on database content. - Sanitization: No sanitization or validation is performed on the strings retrieved from the database before they are used to influence agent behavior.
- Dynamic Execution (HIGH): The 'Ralph Loop' (Step 7, Choice A) describes an autonomous process where the agent generates code ('Implement the task') and executes it ('Run Playwright tests') in a loop based on task descriptions. This is uncontrolled code execution of agent-generated content influenced by external data.
Recommendations
- AI detected serious security threats
Audit Metadata