ClawHub

Ralph Loop (Agent Mode)

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned but gives an agent broad power to run coding tools that can edit, commit, and reset a project with insufficient guardrails.

Install only if you deliberately want an agent to run other coding agents inside a trusted project. Use a disposable branch or sandbox, set a narrow working directory, avoid --yolo and permission-skipping flags, and require explicit approval before commits, resets, rollback commands, or use of project credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The README frames sandboxing as a safeguard while also endorsing dangerous execution modes like permission-skipping or unsandboxed auto-approval later in the document. In a skill designed to orchestrate external coding agents through exec/process, mixed messaging can normalize unsafe configurations that materially reduce user oversight and containment.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation phrase 'create a Ralph Loop' is broad and lacks scope restrictions on repository, command set, trust boundaries, or allowed targets. Because this skill teaches an agent to launch powerful external CLIs via exec with TTY support, a vague trigger can cause the skill to activate in contexts where the user did not intend broad automation or code modification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The rollback guidance recommends 'git reset --hard HEAD~N,' which is destructive and can permanently discard uncommitted work or commits not backed up elsewhere. In this skill's context, the command is presented as an escape hatch for an autonomous agent using exec, so a user may trigger irreversible data loss without understanding the consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly supports auto-approval and permission-skipping flags for coding agents, which can cause autonomous execution of code changes and command execution without meaningful user confirmation. In the context of a skill designed to orchestrate repo modifications through exec/process tools, this materially increases the chance of destructive filesystem, credential, or source-code actions if the prompt, repo contents, or downstream agent behavior are unsafe.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The BUILDING workflow instructs the agent to commit changes automatically, which alters repository history and can persist unintended or malicious modifications without a clear warning to the user. In an automated looping workflow, this is especially risky because repeated iterations may create multiple commits and make rollback or review harder.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly requests exec, process, file-read, and file-write permissions, which enable command execution and filesystem modification, but the package metadata shown here does not provide a clear user-facing warning about those system-modifying capabilities. In the context of a skill designed to orchestrate shell-based coding agents, this increases the risk that users grant powerful permissions without understanding the consequences, leading to accidental destructive actions or misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal