stop
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and follow instructions from a workspace file named
custom.mdspecifically during the 'Settlement' phase. This creates a vulnerability where untrusted content in the project directory can influence or override the agent's behavior during high-stakes actions like bounty processing and code PR creation. - Ingestion points:
custom.md,CLAUDE-activeContext.md,MEMORY.md(via/sync). - Boundary markers: None. The skill is explicitly told to "follow instructions" from the file.
- Capability inventory: Subprocess execution (
git,gh,rm), tool-based financial operations (contract_submit,contract_settle), and sub-agent spawning (Task). - Sanitization: None detected.
- [COMMAND_EXECUTION]: The skill performs several shell operations including pushing code to remote repositories (
git push), creating pull requests (gh pr create), and deleting specific configuration files in the user's home directory (rm -f ~/.claude/ralph-loop.local.md). While these appear consistent with the skill's stated purpose, the file deletion occurs in a hidden system-level directory. - [DYNAMIC_EXECUTION]: The skill programmatically spawns a secondary 'finality-agent' via the
Taskcapability. While used here for verification, the ability to spawn autonomous sub-agents with dynamically generated prompts increases the complexity and risk profile of the skill's execution.
Audit Metadata