ralph-wiggum

The document is a high-risk skill descriptor that proposes unbounded, self-referential LLM iteration. While it does not contain explicit malicious code, secrets, or remote endpoints, the described behavior enables autonomy escalation, amplification of prompt-injection risks, and resource/billing exhaustion if the agent has tool permissions. Recommend: do not enable without runtime guardrails — require iteration limits, timeouts, explicit user confirmations for side-effecting actions, strict least-privilege scoping for tools, and input/output sanitization/validation. Treat this as a potentially dangerous automation pattern that must be constrained; not confirmed malware but a significant security risk if misconfigured.

The provided documentation describes a powerful automation that enables continuous, self-referential agent loops by blocking session exits and re-invoking an agent with the same prompt and persisted workspace. The technique itself is not demonstrably malicious, but it creates significant security risks: potential data exfiltration to model APIs, unbounded resource/cost consumption, and unrestricted repository mutation. These risks stem from design choices (default unlimited iterations, exact-token completion matching, lack of file access controls). Before using this plugin in sensitive environments, implement strong safeguards (iteration limits by default, file access policies, prompt/output sanitization, operator confirmations, and audit logging).