ralph-builder
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes common local command-line tools including
gitfor branch and tag operations,jqfor parsing JSON output, andopensslfor generating unique run identifiers. - [COMMAND_EXECUTION]: It manages project tasks through the
beads(bd) CLI, which acts as a local graph database for task tracking and state management within the repository. - [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection by reading user-specified files and goal descriptions to generate plans. 1. Ingestion points: User goal arguments and any files referenced within those arguments. 2. Boundary markers: The generated plan uses specific Markdown headers and a sentinel string (
<promise>ALLDONE</promise>) to delimit the end of the run. 3. Capability inventory: Access to git, beads, bash, and jq for local repository manipulation. 4. Sanitization: The skill does not explicitly sanitize the user-provided goals, but it enforces a strict RED/GREEN/VERIFY structure for task descriptions. - [SAFE]: No network exfiltration, remote code downloads, or access to sensitive credential files (e.g.,
.ssh,.aws) were detected. All generated artifacts are stored in local directories like.llmtmp/or.beads/.
Audit Metadata