The Agent Skills Directory

[PROMPT_INJECTION]: The user-supplied '$ref' argument is directly interpolated into multiple shell commands (e.g., 'git show', 'find', 'git worktree') without any sanitization or validation. This allows an attacker to execute arbitrary commands by providing a malicious branch name or identifier.\n- [COMMAND_EXECUTION]: The skill instructions explicitly require the 'dangerouslyDisableSandbox: true' flag for 'git worktree' operations. This flag disables platform-level security boundaries, granting the skill unauthorized write access to the filesystem.\n- [COMMAND_EXECUTION]: The variable '$SPEC_TITLE' is parsed from the first line of an external spec file and used as an argument in a shell script execution ('bash ralph/loop.sh plan-work "$SPEC_TITLE" 3'). If the spec title contains shell metacharacters, it can lead to command injection.\n- [REMOTE_CODE_EXECUTION]: The skill executes 'ralph/loop.sh', a script that resides in the repository. Because the skill checkouts a branch controlled by the user-provided '$ref', an attacker can use a malicious branch to provide a modified script, resulting in the execution of untrusted code.

ralph