ralph-loop-init
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates a Python script (
loop.py) that invokes theclaudeCLI with the--dangerously-skip-permissionsflag. This flag is designed to bypass the agent's security model by suppressing all user approval prompts for tool execution, creating a high-risk environment for unvetted system changes.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) by creating an autonomous loop that processes untrusted data.\n - Ingestion points: The skill extracts tasks from
.claude/plans/*.mdfiles and detects 'quality gate' commands from various project configuration files likepackage.json,Makefile, andpyproject.toml.\n - Boundary markers: No protective delimiters or 'ignore embedded instructions' warnings are included in the generated
prd.jsonorCLAUDE.mdfiles.\n - Capability inventory: The generated loop has unrestricted access to all agent tools (Bash, File Write, etc.) via the bypassed permission flag.\n
- Sanitization: There is no evidence of sanitization or validation of the extracted implementation steps or quality gate commands before they are integrated into the execution logic.\n- [COMMAND_EXECUTION]: During the initialization phase, the skill uses the
Bashtool to inspect the local filesystem for testing and linting scripts. This process relies on the contents of files likepackage.json, which could be manipulated to inject malicious commands into theCLAUDE.mdfile's mandatory 'Quality Gates' section.
Recommendations
- AI detected serious security threats
Audit Metadata