ralplan
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security issues were detected. The skill follows a structured consensus model to validate planning decisions before handing off to execution agents, which serves as a design-level safety control.
- [COMMAND_EXECUTION]: The skill references standard developer tools such as
git,npm, andgh, as well as project-specific utilities likeomx. These are used for repository exploration and task management in line with the skill's primary purpose. - [DATA_EXPOSURE]: The skill manages task context within the
.omx/context/directory. This is used for session persistence and grounding, involving only task-related facts and codebase touchpoints rather than sensitive system-level credentials. - [PROMPT_INJECTION]: The skill defines a 'Pre-Execution Gate' that interprets specific user prefixes like
force:or!as bypass signals for the planning workflow. This is a functional design choice for user experience rather than a malicious instruction override. - [INDIRECT_PROMPT_INJECTION]: The skill processes external data from the codebase and user prompts, creating an attack surface for indirect injection.
- Ingestion points: User-provided task descriptions, codebase content via
omx explore, and external documentation viaresearcher. - Boundary markers: Employs structured markdown headers and a specific 'RALPLAN-DR' summary format to isolate agent deliberation.
- Capability inventory: Triggers downstream execution via the
$ralphand$teamskills based on the finalized plan. - Sanitization: Does not explicitly define sanitization or escaping mechanisms for the interpolated content within the prompt blocks.
Audit Metadata