ralph-orchestrator

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content includes deliberate, high-risk automation (unattended code edits/merges via worktrees and Task subagents), explicit permission-bypass flags (e.g., --dangerously-skip-permissions and "danger-full-access" sandbox), and instructions that routinely send repository/files to external LLMs (codex exec), enabling covert backdoor insertion, persistent background processes, and potential exfiltration of secrets — indicating strong potential for misuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Issue Resolution workflow and Task subagent prompts explicitly instruct agents to call external search/mcp tools (mcp__exa__get_code_context_exa and mcp__Ref__ref_search_documentation) to fetch code examples and framework documentation from third‑party sources, and to read/incorporate those results when applying fixes, which means untrusted public content can be ingested and materially influence subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly instructs bypassing permission controls (e.g., backend args "--dangerously-skip-permissions" and sandbox modes like "danger-full-access") and directs autonomous, persistent execution that can edit/merge worktrees and run privileged-scope CLI actions, which encourages bypassing security and modifying machine state beyond safe project-scoped changes.