Skills
skills/gmickel/flow-next/flow-next-ralph-init/Gen Agent Trust Hub

flow-next-ralph-init

Warn

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill configures the ralph.sh harness to run the claude CLI with the --dangerously-skip-permissions flag (via the YOLO=1 setting in config.env). This allows the autonomous agent to execute shell commands and perform file operations without user oversight or confirmation.
  • [COMMAND_EXECUTION]: During initialization, the skill uses chmod +x to grant execution permissions to several scripts and binaries (ralph.sh, ralph_once.sh, flowctl, ralph-guard.py) it creates in the scripts/ralph/ directory.
  • [PROMPT_INJECTION]: The harness exhibits a surface for indirect prompt injection by retrieving data from the local repository and interpolating it into prompts used to drive the agent's actions.
  • Ingestion points: Data from git status, git log, and flowctl show (referenced in templates/prompt_plan.md, prompt_work.md, and prompt_completion.md) is incorporated into the agent's context.
  • Boundary markers: The prompts lack delimiters or specific instructions to the agent to disregard instructions that might be embedded within the repository data.
  • Capability inventory: The autonomous agent has access to all standard tools, including shell execution (bash) and file system access, with high risk due to the disabled permissions checks.
  • Sanitization: No sanitization or filtering is performed on the data retrieved from the repository before it is placed into the prompts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 13, 2026, 01:09 AM