Ralph Quick Security Check
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only quick security checklist that reads the selected project and writes a local report, with no hidden install, credential, network, or destructive behavior shown.
This skill appears safe to install as an instruction-only security checklist. Run it only in the project you want audited, be aware it may read private source/configuration files and possible secrets, and review or redact the generated `.ralph-report.md` before committing or sharing it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read source code, configuration, Docker, and CI files in the working project and run a benign git command.
The skill asks the agent to inspect the current repository and run a git discovery command. This is expected for a security spot-check, but it means the agent will access local project contents.
Auto-Detect (Iteration 1) ... `git rev-parse --show-toplevel` ... VERIFY ... read actual code
Invoke it only inside the repository you intend to audit, and review any command or file-access behavior if your environment is sensitive.
If the project contains hardcoded credentials, the agent may see them while performing the check.
The skill is designed to look for secret-like values in project files. That is purpose-aligned, but it can expose credentials or tokens if they are present in the codebase.
Covers secrets, OWASP basics, auth, rate limiting, and containers. ... Iter 3 | Hardcoded secrets scan
Use this only on projects you are authorized to inspect, and avoid sharing raw findings that include actual secret values.
The generated report could disclose vulnerabilities or sensitive details if committed, synced, or shared unintentionally.
The skill persists a local report file. This is disclosed and scoped, but the report may contain security-sensitive findings or references to secret-like data.
FINAL: Generate summary report saved to `.ralph-report.md` ... if `.ralph-report.md` exists, rename to `.ralph-report-{YYYY-MM-DD-HHmm}.md`Review the report before sharing it, redact sensitive values, and consider adding `.ralph-report*.md` to `.gitignore` if appropriate.