ralph-loop
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local setup script (
scripts/setup.sh) to initialize the project structure, using user-provided paths and names that are not rigorously sanitized before use in shell operations. - [COMMAND_EXECUTION]: The setup script applies
chmod +xto the dynamically generatedralph.shscript, which is a file created at runtime within the user's project directory. - [REMOTE_CODE_EXECUTION]: The skill generates an autonomous execution script (
ralph.sh) that invokes a CLI tool with the--dangerously-skip-permissionsflag. This flag is explicitly designed to bypass security confirmations for file access and command execution, facilitating an unmonitored autonomous environment. - [PROMPT_INJECTION]: The skill's architecture is susceptible to indirect prompt injection. The generated loop reads from a
progress.txtfile that the AI agent updates itself. A compromised agent or an attacker could inject malicious instructions into this file, which would then be followed by the agent in subsequent iterations. - Ingestion points:
step-01-interactive-prd.md(user input during brainstorming) andralph.sh(readingprd.jsonandprogress.txtas context for the next iteration). - Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when the generated script passes file content to the CLI.
- Capability inventory: The generated loop agent has capabilities to read/write files and execute git commands within the target repository.
- Sanitization: No validation or sanitization is performed on the user-provided PRD or the agent-generated progress logs before they are re-processed in the execution loop.
Audit Metadata