ralph
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The execution loop in
ralph/ralph.shinvokes AI agents using flags (--dangerously-skip-permissionsand--dangerously-allow-all) that explicitly disable safety prompts and permission checks. This allows the AI agent to autonomously execute generated code, including shell commands and file modifications, on the host system without human oversight. - [COMMAND_EXECUTION]: The skill's scripts (
ralph/ralph.sh,ralph/ralph-tree.sh) perform several high-risk operations, such as creating and managing git worktrees and running package installation commands (bun install). These scripts also execute dynamically resolved bash scripts (ralph.sh) without verifying the integrity of the environment or the instructions generated from user-provided PRDs. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted PRD text and converts it into a
prd.jsonfile, which then serves as the primary instruction set for the autonomous agent. - Ingestion points: PRD markdown text processed in
SKILL.mdand task definitions stored inprd.json. - Boundary markers: None identified; untrusted data is directly converted into task instructions.
- Capability inventory: Full filesystem access, command execution, and network capabilities via the
ralph.shexecution loop. - Sanitization: The skill does not implement validation or escaping for the user stories extracted from the PRD.
- [DATA_EXFILTRATION]: The
notifyfunction inralph/ralph.shsends development progress updates, including git branch names and user story titles, to the well-known notification servicentfy.sh. This provides external visibility into project status and internal task names.
Recommendations
- AI detected serious security threats
Audit Metadata