Ralph Ultra Security Audit
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only security audit skill is broad and long-running, but the sensitive code/environment review and local report writing are disclosed and aligned with its stated purpose.
Use this skill only for repositories and systems you are authorized to audit. Set a clear scope, monitor the long 1,000-iteration run, require approval for active scans or mutating commands, and treat the generated report as sensitive.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may spend a long time working through the audit unless the user stops or narrows it.
The skill sets a strict long-running loop and stopping condition for the agent, though this is disclosed by the skill's stated 1,000-iteration audit purpose.
CONTINUE: IF iteration <= 1000 GOTO Step 1
Use this only when you want a lengthy deep audit, and interrupt or re-scope the run if it is taking too much time.
If connected to tools, the agent could inspect or scan systems beyond what the user intended.
The audit checklist may lead an equipped agent to perform broad inspection or scanning of services and infrastructure. This is expected for a security audit but should be authorized and scoped.
Attack surface — endpoint enumeration, auth mapping, rate limits, exposed ports, WebSocket/SSE
Define the target repo, application, and network scope before running, and require approval before active scans or state-changing commands.
Secrets or credential locations may appear in the agent conversation or generated audit report.
The skill explicitly directs review of credentials and secret material. That is purpose-aligned for a security audit, but it is sensitive.
Secret detection (API keys, passwords, git history)
Run only on systems you are authorized to audit, avoid exposing full secret values, and keep generated reports private.
A local report file may retain sensitive security information after the audit is complete.
The skill persists audit results to a local report file, which may include vulnerability details, exploit notes, or secret findings.
SAVE: Every 50 iterations, update `.ralph-report.md`
Treat .ralph-report.md as sensitive, do not commit it accidentally, and redact secrets or exploit details before sharing.
Users have less external context for who maintains the skill or how it is reviewed.
The skill has limited provenance information. Because it is instruction-only with no install spec or code files, this is a low-risk provenance note rather than a concrete execution concern.
Source: unknown; Homepage: none
Check the publisher and review the instructions before relying on the audit results for high-stakes decisions.