The Agent Skills Directory

[COMMAND_EXECUTION]: The execution script scripts/ralph.sh invokes the claude CLI with the --dangerously-skip-permissions flag. This configuration allows the agent to execute tools, such as shell commands, file modifications, and git operations, without requiring manual approval for each individual action. While this is the intended mechanism for autonomous operation, it grants the agent significant autonomy over the local environment.
[PROMPT_INJECTION]: The skill is designed to process project-specific state files to maintain continuity across iterations, which creates a surface for indirect prompt injection.
Ingestion points: According to WORKFLOW.md, the agent reads .ralph/current-taskset/tasks.json, .ralph/current-taskset/activity.log, and .ralph/current-taskset/memories.md during the "Orient" phase of every iteration.
Boundary markers: No specific delimiters or explicit safety instructions are defined in the provided documentation to separate these potentially untrusted data sources from the agent's core logic.
Capability inventory: The agent has permissions to execute shell commands (e.g., via npm or git), write to the filesystem, and use browser automation tools like playwright-cli.
Sanitization: Content from the tracked state files is used directly to determine task priority and implementation steps without validation or sanitization.
[EXTERNAL_DOWNLOADS]: The workflow documentation describes operations that require network access, such as running npm install for project dependencies and using playwright-cli for browser-based verification. While these are standard development practices, they represent vectors for interacting with external resources and fetching remote content.

ralph-loop