loop
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted external data via variables like {{ feature_name }}, {{ core_requirement }}, and {{ task }} to drive an autonomous loop with side-effect capabilities. (1) Ingestion points: Input variables in the Standard and TDD prompt templates. (2) Boundary markers: The skill uses tags like COMPLETE as signals, which are easily spoofed by malicious input to hijack control flow. (3) Capability inventory: High-privilege actions including file modification, build execution, and test running. (4) Sanitization: None present.
- REMOTE_CODE_EXECUTION (HIGH): The 'Architecture' section defines a modular system (e.g., ralph-loop-core.yaml, ralph-loop-recovery.yaml) using 'chargement paresseux' (lazy loading). Because these external logic files are not provided and their source is not restricted, they represent a critical vector for executing unverified instructions if the agent fetches them from an insecure location.
- COMMAND_EXECUTION (MEDIUM): The skill is designed to automate coding tasks by checking 'Build réussi' and 'Tests passants', requiring the execution of arbitrary shell commands. While expected for development, this provides a direct execution path for malicious instructions hidden in an indirect prompt.
- EXTERNAL_DOWNLOADS (MEDIUM): The dependency on multiple external configuration files without specified trusted sources violates the principle of a self-contained skill and encourages the processing of unverified remote resources.
Recommendations
- AI detected serious security threats
Audit Metadata