ralph-upgrade
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the latest scaffold from the remote repository at https://github.com/tolulawson/ralph-harness.
- [REMOTE_CODE_EXECUTION]: Executes a Python script (scripts/migrate-installed-runtime.py) that is contained within the downloaded remote repository.
- [COMMAND_EXECUTION]: Performs file system operations to modify project files including AGENTS.md, .codex/config.toml, .ralph/harness-version.json, and task-state.json.
- [PROMPT_INJECTION]: The skill instructions mandate treating remote content as authoritative, which constitutes an indirect prompt injection surface.
- Ingestion points: Data is ingested from the remote UPGRADING.md and src/upgrade-manifest.txt files (SKILL.md).
- Boundary markers: No specific delimiters or safety warnings are implemented to prevent the agent from obeying malicious instructions embedded in the remote files.
- Capability inventory: The skill has the capability to execute Python subprocesses and write/modify arbitrary files in the local repository (SKILL.md).
- Sanitization: There is no evidence of validation or sanitization of the remote content before it is processed as an instruction set.
Audit Metadata