The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/ralph.sh script executes CLI tools (claude and amp) with the flags --dangerously-skip-permissions and --dangerously-allow-all. These flags bypass all interactive safety prompts, allowing the autonomous agent to execute any shell command on the host system without user oversight.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection during the conversion of user PRDs into prd.json. Ingestion points: Project requirements are parsed into prd.json via SKILL.md and read by the orchestrator. Boundary markers: The instructions lack delimiters or warnings to treat the JSON data as untrusted. Capability inventory: The agent can read and write files, execute shell commands (for testing and implementation), and perform git operations. Sanitization: No validation or sanitization is performed on the PRD content before it drives the agent's actions.
[REMOTE_CODE_EXECUTION]: The agent is instructed to 'Implement' and 'Run quality checks' (e.g., tests and linting) based on the contents of the untrusted prd.json. This facilitates the execution of arbitrary code logic defined by external inputs.
[COMMAND_EXECUTION]: In scripts/CLAUDE.md, the agent is directed to update project-wide CLAUDE.md instruction files. This allows for persistent poisoning, where a compromised session can modify the agent's long-term behavior across different parts of the project codebase.

ralph