Skills
skills/linuxlewis/agent-skills/ralph-runner/Gen Agent Trust Hub

ralph-runner

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • PROMPT_INJECTION (LOW): Indirect Prompt Injection Surface.
  • Ingestion points: The skill ingests untrusted data from prd.json files, specifically within the userStories array. Fields such as title, description, and acceptanceCriteria are natural language inputs intended to be processed by an AI agent.
  • Boundary markers: There are no documented delimiters or instructions (e.g., 'ignore embedded commands') to separate the PRD content from the agent's system instructions.
  • Capability inventory: The tool chain involves high-privilege operations including spawning Claude Code for autonomous file modification and executing local shell commands like npm test, lint, and typecheck via ralph-cli.
  • Sanitization: No sanitization or validation logic is mentioned for the input JSON data before it is interpolated into agent prompts.
  • COMMAND_EXECUTION (LOW): The skill's core workflow involves executing external CLI tools (ralph, claude) and local build/test scripts. While this is the intended functionality, it allows the autonomous agent to execute arbitrary commands based on the contents of the processed PRD.
  • EXTERNAL_DOWNLOADS (LOW): The skill requires the pre-installation of ralph-cli, an unverifiable third-party tool authored by 'linuxlewis'. While the skill does not contain an automated installation script (which would raise the severity), it introduces a dependency on untrusted software.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:43 PM