The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The ralph-qa-engine.js script uses child_process.spawnSync with shell: true to execute commands passed as arguments. This allows the AI agent to execute arbitrary shell commands on the host system under the context of running tests.
[COMMAND_EXECUTION] (MEDIUM): The Stop hook (hooks/stop.js) allows the skill to override the user's intent to end a session. It returns a block signal to the CLI, forcing the user into continued autonomous iterations until iteration limits are reached or manual state files are deleted.
[EXTERNAL_DOWNLOADS] (MEDIUM): The git-worktrees skill automatically invokes package installers such as npm install, pip install, and go mod download when setting up a new workspace. This creates a risk of executing malicious lifecycle scripts if the repository being processed contains untrusted dependencies.
[EXTERNAL_DOWNLOADS] (LOW): The .mcp.json configuration uses npx to fetch and execute the @upstash/context7-mcp package from a remote registry at runtime.
[PROMPT_INJECTION] (LOW): The memory system in hooks/pre-compact.js ingests session history and compact summaries into brain.jsonl without explicit sanitization or boundary markers, creating an indirect prompt injection surface.
Ingestion points: Session transcripts are read via extractLastSummary from the project's transcript directory.
Boundary markers: No delimiters or instructions to ignore embedded content were found in the ingestion logic.
Capability inventory: The skill has subprocess execution capabilities via the Ralph Wiggum QA engine.
Sanitization: Content is parsed as JSON but not sanitized before being placed into the agent's long-term memory context.

maestro