ralphing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill executes a local shell script (
assets/ralph.sh) and allows for an arbitrarytest_cmd(e.g.,npm test,bundle exec rake) to be passed as an argument. This parameter provides a direct path for executing untrusted shell commands on the host system. - [PROMPT_INJECTION] (HIGH): High-risk Indirect Prompt Injection vulnerability surface. The skill is designed to ingest and act upon untrusted data from a PRD file to drive an autonomous loop with significant system capabilities.
- Ingestion points: The PRD file (
prd.md) is used to generate the prompt and guide the coding loop. - Boundary markers: No specific delimiters or safety instructions are mentioned to prevent the agent from obeying malicious instructions embedded within the PRD stories.
- Capability inventory: The skill possesses the ability to modify files (implementing features), perform git operations (commit/revert), and execute shell commands via the background loop.
- Sanitization: There is no evidence of sanitization for the PRD content or the user-provided test commands.
- [REMOTE_CODE_EXECUTION] (HIGH): The autonomous loop functionality (Category 10 / Dynamic Execution) involves the agent writing code and then executing it via 'test commands'. If the PRD is malicious, it can influence the agent to write and execute arbitrary malicious code in the local environment.
Recommendations
- AI detected serious security threats
Audit Metadata