ralph-loop
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (HIGH): The skill processes a user-defined task description and continues until a specific string is detected, creating an attack surface for indirect prompt injection. 1. Ingestion Point: The task description parameter in the /ralph-loop command. 2. Boundary Markers: None specified to separate instructions from data. 3. Capability Inventory: Includes Bash, Write, and Read. 4. Sanitization: None mentioned. This allows external content processed by the agent (e.g., via Read or Bash) to potentially inject instructions into the next loop iteration.
- [Command Execution] (HIGH): The allowed-tools list includes Bash, permitting the agent to run arbitrary shell commands. When used within an automated loop that re-injects prompts, this significantly increases the risk of the agent being manipulated into executing malicious code without human intervention.
- [External Downloads] (MEDIUM): Metadata points to untrusted third-party sources (code-yeongyu/oh-my-opencode and sst/opencode) which are not within the recognized trust scope defined in the safety protocols.
Recommendations
- AI detected serious security threats
Audit Metadata