ralph

No clear evidence of overt malware (exfiltration, reverse shell, system destruction, cryptomining, or dynamic code execution on the host) in this fragment. However, it intentionally extracts credentials from macOS Keychain and injects them into a Docker sandbox, writes GH_TOKEN into a persistent sandbox config, and runs sandbox actions with bypassPermissions driven by GitHub issue content. This creates a meaningful supply-chain security risk: if the sandbox or prompts are influenced maliciously (e.g., prompt injection via issue bodies) or if the sandbox image is compromised, the injected tokens could enable unauthorized GitHub changes and PR/issue manipulation. Review the sandbox implementation/image and how prompt text is sanitized/handled.

SUSPICIOUS. The skill’s coding/issue automation purpose is coherent, but its footprint is high-risk: it installs additional third-party skills from a personal repo through a mutable CLI, processes untrusted GitHub content while executing code changes, and enables autonomous commits/pushes/PRs. No direct credential theft or exfiltration is shown, so this is not confirmed malware, but it is a high-risk autonomous development skill.