ralph-loop
Pass
Audited by Gen Agent Trust Hub on May 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it directs the agent to ingest and act upon instructions from locally stored files which could be modified by external actors (e.g., via malicious pull requests).
- Ingestion points: The skill explicitly reads from
.claude/ralph-loop.local.mdandTODO.mdto determine its current task and completion status. - Boundary markers: Absent. There are no instructions to the agent to distinguish between the skill's system instructions and the potentially untrusted content of the project files.
- Capability inventory: High. The skill is designed for Claude Code, which possesses capabilities for file system modification, command execution, and network access.
- Sanitization: Absent. The agent is instructed to "Implement next incomplete task" directly from the
TODO.mdfile. - [COMMAND_EXECUTION]: The skill encourages the autonomous execution of commands across multiple iterations without user confirmation.
- Evidence: The 'Verification Commands' section allows for arbitrary shell commands (e.g.,
python -m pytest) to be run automatically to verify progress. While intended for legitimate development, this mechanism executes whatever is defined in the state file.
Audit Metadata