setup-ralph
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill creates a script (
ralph.sh) that invokes the AI agent with the--dangerously-skip-permissionsflag. This allows the agent to run any shell command (e.g., git, npm, or arbitrary bash) without user approval. Because the agent's actions are driven by the content of requirements files (prd.json) which can be influenced by external sources, this constitutes an unauthenticated remote code execution vector. - [COMMAND_EXECUTION] (HIGH): The initialization process (
scripts/setup.sh) modifies file system permissions and creates executable scripts. While part of the setup, it establishes the high-risk execution environment that bypasses standard agent security protocols. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from
PRD.mdand user-provided descriptions, then passes this content directly to a privileged agent. 1) Ingestion:step-02-create-stories.mdreads external PRD files. 2) Boundaries: None. 3) Capabilities: Full shell access via the skip-permissions flag. 4) Sanitization: None. A poisoned PRD can dictate malicious commands that the loop will execute automatically.
Recommendations
- AI detected serious security threats
Audit Metadata