ralph-orchestrator
Fail
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation explicitly recommends configuring the Ralph CLI with the
--dangerously-skip-permissionsflag, which bypasses security permission checks during autonomous code execution loops. - [EXTERNAL_DOWNLOADS]: The skill requires the global installation of the
@ralph-orchestrator/ralph-cliNPM package, which is an external dependency whose safety cannot be verified by the skill's static analysis. - [PROMPT_INJECTION]: The skill contains logic to refactor user requests into architectural prompts for other models. It is vulnerable to indirect prompt injection because it interpolates raw user input into a privileged context.
- Ingestion points:
SKILL.md(Phase 0, Step 2: Prompt Refactoring). - Boundary markers: Absent; the
original_user_requestis placed directly into an f-string template. - Capability inventory: High-privilege file system access (Read, Write, Edit, Glob), Git command execution, and subagent spawning via the Task tool.
- Sanitization: Absent; no escaping or validation is performed on the user-provided intent before prompt construction.
- [COMMAND_EXECUTION]: The skill automates long-running, autonomous background processes using
nohupanddisownto execute generated tasks, creating a risk of persistent, unintended system modifications if the planning phase is compromised. - [PROMPT_INJECTION]: The skill includes instructions that attempt to override standard agent behavior, such as 'DO NOT include preambles, status updates, or meta-commentary' and 'Proceed directly to architectural design'.
Recommendations
- AI detected serious security threats
Audit Metadata