100Critical
The skill allows arbitrary command execution via
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Ralph Agent: Autonomous coding agent that implements user stories iteratively with **multi-PRD parallel development** support.
Actually does
The skill manages an autonomous coding agent named Ralph. It uses internal commands (`/ralph-ryan:prd`, `/ralph-ryan:prep`, `/ralph-ryan:run`, `/ralph-ryan:status`) to create, prepare, execute, and monitor development tasks (PRDs). It reads and writes structured data (`prd.json`, `prd.md`, `progress.txt`, `ralph-loop.local.md`) within a local `.claude/ralph-ryan/` directory, tracks file changes for version control, and manages session isolation.
Skill Info
Namewquguru/exoshell/ralph-ryan
Registrygithub
Version530ac563f51e
PURLpkg:github/wquguru/exoshell@530ac563f51e?skill=ralph-ryan
Stars38
Source
SHA-256a18cf50ee536...
SHA-1569ae7f848cd...
MD5f4e901f8fb09...
TLSH837172f898a2...
Size3,638 bytes
Install
Assessments (2)
AI Agent Traps ↗Command Execution via Instruction Filescriticalcommand execution
The agent's core function is to execute actions based on instruction files like `run.md` and `prd.md`. If an attacker can modify these files, they can inject arbitrary commands for the agent to execute on the underlying system.
90% confidenceline 13
Routing: Read `{baseDir}/run.md`, Read `{baseDir}/prd.md`. Description: 'Autonomous coding agent that implements user stories iteratively.'Unsanitized User Input in File Pathshighcommand execution
The `prd-slug` provided by the user in commands like `/ralph-ryan:run [prd-slug]` is used to construct file paths. Without proper sanitization, this could lead to path traversal vulnerabilities, allowing access to arbitrary files or directories outside the intended scope, potentially leading to command execution.
90% confidenceline 57
Quick Reference: `/ralph-ryan:run [prd-slug]`. Shared Configuration: PRD 子目录 `.claude/ralph-ryan/<prd-slug>/`
Broad File System Write & Git Interactionmediumpersistence
The agent is designed to modify files (tracked via `filesChanged` in `prd.json`) and interact with a version control system (Git branches, commits). This capability, if the agent is compromised, could be abused for unauthorized code changes, data exfiltration, or establishing persistence mechanisms within a repository.
80% confidenceline 90
File Tracking: `filesChanged`. prd.json Branch Fields: `branchName`, `baseBranch`
Resource Abuse via Autonomous Looplowresource abuse
The `/ralph-ryan:run` command features an 'auto-loop until complete' mechanism. While a manual termination option exists, a maliciously crafted or buggy instruction set could lead to an infinite loop, consuming system resources.
70% confidenceline 60
Quick Reference: `/ralph-ryan:run [prd-slug] [--max-iterations N]` (自动循环直到完成)
RAG/Memory Poisoning via Instruction Fileshighrag poisoning
The agent's operational instructions and state are stored in local Markdown and JSON files (`prd.md`, `run.md`, `prd.json`). Compromising these files directly manipulates the agent's knowledge base and dictates its subsequent actions.
90% confidenceline 19
Routing: Read `{baseDir}/prd.md`, Read `{baseDir}/prep.md`, Read `{baseDir}/run.md`. Shared Configuration: `prd.json`Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/wquguru/exoshell/ralph-ryan)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/wquguru/exoshell/ralph-ryan"><img src="https://mondoo.com/ai-agent-security/api/badge/github/wquguru/exoshell/ralph-ryan.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/wquguru/exoshell/ralph-ryan.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow