ralph-github-start-loop

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The skill automates committing, closing, and pushing repository code and full issue/PR content to external services (via the gh CLI and an external "claude" LLM invocation), creating a significant data-exfiltration and unintended-change risk (automated remote code changes and disclosure of repository/issue contents to an external model); there is no obfuscation or credential-theft code, but the automatic LLM prompt/commit/push workflow makes this high-risk for leaking sensitive data or enabling remote modification.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill fetches and embeds user-generated GitHub issue content into the agent prompt (see format_stories_for_agent using gh sub-issue list and gh issue view, then assembling ALL_STORIES/PRD_BODY into FULL_PROMPT passed to claude), so untrusted third‑party issue text can indirectly inject instructions.