ralph-json-start-loop
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill invokes a local shell script at
~/.claude/skills/ralph/ralph.sh. Since the content of this script is not provided in the skill package, its operations and safety cannot be verified. - [COMMAND_EXECUTION] (MEDIUM): The agent instructions grant the model broad authority to run 'quality checks' using 'whatever your project requires.' This allows for the execution of arbitrary shell commands defined within project configuration files (e.g., package.json, Makefile) found in the workspace.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from the project codebase. 1. Ingestion points: The agent reads user-provided project definitions in
prd.jsonand history in.ralph-progress.txt. 2. Boundary markers: Absent; there are no delimiters or instructions to ignore commands embedded in the project files. 3. Capability inventory: The skill can execute shell commands, perform git operations, and modify local files. 4. Sanitization: Absent; the skill does not validate or sanitize instructions parsed from the JSON or log files before processing them.
Audit Metadata