The Agent Skills Directory

[COMMAND_EXECUTION]: The skill dynamically constructs and executes shell commands through tmux send-keys. It interpolates variables such as RALPH_PROJECT_DIR and RALPH_TASK_ID directly into command strings without sanitization. This allows for potential command injection if these variables contain shell-active characters.- [PROMPT_INJECTION]: The skill has a significant surface for indirect prompt injection.
Ingestion points: Processes project files (.ralph/tasks.json, CLAUDE.md, .ralph/SPEC.md) and receives messages from external processes via a 'fakechat' port.
Boundary markers: No markers or instructions are present to distinguish between orchestration logic and untrusted data within the ingested files.
Capability inventory: The skill can execute shell commands via tmux, system notifications via osascript, and launch new sessions with --dangerously-skip-permissions.
Sanitization: There is no evidence of data sanitization or validation for content read from the file system or received via the network port.- [COMMAND_EXECUTION]: The skill invokes osascript to display desktop notifications. This is a form of external command execution based on project state.- [COMMAND_EXECUTION]: Sub-agents are launched with the --dangerously-skip-permissions flag, which bypasses the standard human-in-the-loop safety checks for sensitive actions, increasing the risk if the worker agents are manipulated.

ralph-kage-bunshin-watcher