ralph-loop
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by design. It implements an autonomous loop that re-injects the content of a project-level file (
PROMPT.md) into the agent's context during each iteration. - Ingestion points: Reads from
.claude/ralph/PROMPT.md(template intemplates/implementation-template.md). - Boundary markers: None explicitly implemented in the provided management scripts; the skill relies on the agent to interpret the re-injected JSON decision.
- Capability inventory: The skill is configured with powerful tools including
Bash,Write, andEdit, which could be exploited if the loop is compromised. - Sanitization: There is no evidence of sanitization or filtering of the content being re-injected into the prompt.
- [COMMAND_EXECUTION]: The skill's architecture relies on the execution of local shell scripts and Node.js hooks to manage the loop lifecycle.
- Evidence: The implementation template in
templates/implementation-template.mdsuggests using a launcher script (ralph-audit.sh) and a stop hook (ralph-stop-hook.cjs) that the agent interacts with. - Context: While these are standard for the skill's orchestration purpose, the autonomous nature of the execution loop increases the potential impact of any command injection or unintended tool use.
- [DATA_EXFILTRATION]: The
hooks/post-execute.cjsscript attempts to execute a local observability tool located at a relative path outside the skill's own directory structure. - Evidence:
require(path.resolve(__dirname, '../../../../tools/observability/send-event.cjs')). - Context: This is a vendor-internal resource for event tracking and does not escalate the verdict, but represents an external execution dependency.
Audit Metadata