ralph-script
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The generated script
ralph-loop.shinvokes theclaudeCLI with the--dangerously-skip-permissionsflag. This bypasses the interactive approval process for shell commands, granting the AI agent full, unattended command-line access to the host system. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8). It reads data from files such as
PLAN.md,PROBLEM.md, andPRD.mdand interpolates their content directly into the agent's prompt without sanitization or strong boundary markers. Instructions hidden in these files can override the agent's intended behavior. - Ingestion points: Files
PLAN.md,PROBLEM.md,PRD.md, andspecs/README.mdare read inralph-loop.shandSKILL.md(Step 2). - Boundary markers: None identified; the files are passed as raw text context.
- Capability inventory: The agent has full shell access via the
claudeCLI with permission skipping. - Sanitization: No escaping or validation is performed on the content of the project files before they are processed.
- [REMOTE_CODE_EXECUTION]: Because the agent operates autonomously and acts upon instructions found in the project's markdown files, a malicious actor who can influence these files (e.g., via a Pull Request) can achieve code execution on the user's machine.
- [COMMAND_EXECUTION]: The skill's setup process automatically modifies file permissions using
chmod +xfor theralph-loop.shscript, facilitating the deployment of a high-risk autonomous tool.
Recommendations
- AI detected serious security threats
Audit Metadata