The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it autonomously ingests and executes tasks from an external, potentially untrusted PRD file.
Ingestion points: The {prd} file (e.g., PRD.md) is read in Phase 2 to determine the next action.
Boundary markers: There are no explicit delimiters or instructions to ignore malicious commands embedded within the PRD content.
Capability inventory: The skill has access to Bash, Write, Edit, and Read tools, allowing it to modify the codebase and execute commands based on injected instructions.
Sanitization: No sanitization or validation of the PRD content is performed before the agent plans and implements changes.
[COMMAND_EXECUTION]: The skill executes arbitrary shell commands defined in environment files or provided by the user.
Evidence: The verify command is auto-detected from package.json, pyproject.toml, or Makefile and executed via Bash without validation.
Persistence: The skill relies on a 'Stop Hook' mechanism (~/.claude/hooks/ralph-loop.sh) that automatically restarts sessions upon termination to create a continuous loop, which functions as a persistence mechanism.
[DATA_EXFILTRATION]: The automated commit process uses broad commands that could lead to accidental data exposure.
Evidence: The use of git add -A in the COMMIT phase (Phase 2, Step 5) automatically stages all changes in the directory. If sensitive files (like credentials or logs) are created during the autonomous execution, they could be committed and pushed to a remote repository without human review.

autodev