ralph-evolver
Warn
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
execFileSyncto run system commands includinggit,grep,npm, andpytest. It specifically executes scripts defined within the target project's configuration (e.g.,npm run build,npm test), which may result in the execution of arbitrary commands if the skill is pointed at a malicious project directory. - [REMOTE_CODE_EXECUTION]: A core feature of the skill is 'recursive self-evolution,' where the AI agent is explicitly instructed to modify the skill's own source code (
evolve.js) and continue execution in a loop. This results in the local execution of code generated by the LLM. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it scrapes untrusted data from the target project—including
TODO/FIXMEcomments, git commit messages, and source code—and interpolates them directly into the LLM prompt without sanitization or protective delimiters. - Ingestion points: Data is collected from the file system and git history via the
RuntimeSignalsandHealthCheckerclasses inevolve.js. - Boundary markers: None. Ingested external content is placed directly under markdown headers without markers to prevent the model from obeying embedded instructions.
- Capability inventory: The skill can execute shell commands via
child_process.execFileSyncand modify files usingfs.writeFileSyncandfs.renameSync. - Sanitization: None. The skill does not escape, filter, or validate the content extracted from the target project before including it in the prompt.
Audit Metadata