The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides a bash script template that executes arbitrary commands via 'bash -lc "$TEST_CMD"'. The content of '$TEST_CMD' is sourced from 'AGENTS.md', a file that is read and updated by the AI agent during its loop, allowing for the execution of unvalidated code.
[COMMAND_EXECUTION]: The instructions explicitly guide the generation of loops using security-bypassing flags for well-known AI tools, specifically '--dangerously-skip-permissions' for Claude Code and '--full-auto' for Codex. These flags remove human-in-the-loop oversight for sensitive operations.
[PROMPT_INJECTION]: The skill's core workflow is vulnerable to indirect prompt injection because the agent is instructed to read and act upon content from local files that can be modified by the agent itself or external processes.
Ingestion points: Instructions are loaded from 'PROMPT.md', 'AGENTS.md', 'IMPLEMENTATION_PLAN.md', and 'specs/*.md'.
Boundary markers: The provided prompt templates lack delimiters or instructions to treat data files as non-executable or to ignore embedded instructions.
Capability inventory: The loops have capabilities to write to the file system, perform git commits, and execute shell commands.
Sanitization: There is no mechanism described or implemented to sanitize or validate the content of the markdown files before it is used to influence agent behavior or command execution.

ralph-loop