The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script afk-ralph.sh extracts sensitive Claude OAuth credentials directly from the macOS Keychain using security find-generic-password and retrieves GitHub authentication tokens via gh auth token. These secrets are processed in plain text within the script logic.\n- [DATA_EXFILTRATION]: Harvested host credentials (Claude and GitHub tokens) are automatically injected into a Docker sandbox environment. While this facilitates autonomous operation, it exposes the user's primary session secrets to an AI agent configured to bypass standard permission prompts.\n- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8). It fetches GitHub issue titles and bodies using the gh CLI and interpolates them directly into the agent's prompt without sanitization, escaping, or boundary markers. An attacker with the ability to create or comment on issues in the target repository could potentially hijack the autonomous loop to execute malicious code or modify the repository using the agent's credentials. \n
Ingestion points: afk-ralph.sh (fetching PRD and sub-issue bodies via gh issue view) and ralph-once.sh. \n
Boundary markers: Absent; uses raw string interpolation. \n
Capability inventory: Shell command execution (test suites), Git operations (commit/push), GitHub CLI operations (closing issues/PR creation), and project-wide file write access. \n
Sanitization: Absent.\n- [COMMAND_EXECUTION]: The autonomous loop is explicitly configured to use --permission-mode bypassPermissions (in afk-ralph.sh) and --permission-mode acceptEdits (in ralph-once.sh). This removes human-in-the-loop safeguards and allows the AI to modify files and execute arbitrary shell commands (detected from project config) without confirmation.\n- [EXTERNAL_DOWNLOADS]: The documentation instructs users to install third-party skills from an external GitHub repository (mattpocock/skills) using npx, which executes remote code and introduces supply chain risk.

ralph