v3.0.0

Ralph Ultra Security Audit

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:49 AM.

Analysis

No hidden code or exfiltration is evident, but the skill directs broad secret and infrastructure auditing and persistent report writing, so it needs careful review before use.

GuidanceInstall or invoke this only for repositories and environments you are authorized to audit. Before running it, set a clear target scope, require read-only behavior unless you approve otherwise, redact any discovered secrets, and keep `.ralph-report.md` private and out of source control.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Attack surface — endpoint enumeration, auth mapping, rate limits, exposed ports... Hidden systems — undeclared services, cron jobs, orphan configs, Docker networks

These instructions cover broad system and network discovery. The skill does not state allowed targets, read-only limits, scan intensity, or when to ask the user before touching infrastructure-related areas.

User impactThe agent may inspect or probe services, local infrastructure, or configurations beyond what the user intended, which can expose topology or trigger monitoring in sensitive environments.

RecommendationDefine an explicit audit scope before use, require approval for endpoint/port/DB/SSH/Docker checks, and keep actions read-only unless the user specifically authorizes changes.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

- **NEVER skip iterations** ... **CONTINUE**: IF iteration <= 1000 GOTO Step 1

The skill sets a rigid 1,000-iteration stopping condition. This is disclosed as part of the deep-audit purpose, but users should notice that it may keep the agent working for hours unless interrupted.

User impactThe agent may continue producing audit iterations longer than the user expects, consuming time and attention.

RecommendationInvoke this only when a long audit is intended, set time or iteration limits if needed, and allow the user to stop or narrow the run.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

- **251-300:** Secret detection (API keys, passwords, git history)

The skill explicitly directs the agent to look for credentials in files and history. That is aligned with a security audit, but the artifacts do not define target scope, redaction rules, or safe handling for discovered secrets.

User impactAPI keys, passwords, or secret locations could be shown in the chat or saved into an audit report if the user runs this on a real codebase.

RecommendationUse only on systems you own or are authorized to audit, require secret-value redaction, and confirm before scanning git history, environment files, or credential-like data.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

**SAVE**: Every 50 iterations, update `.ralph-report.md`

The skill creates persistent audit output. Because the same workflow includes detailed findings, exploit information, and secret-detection checks, the report may retain sensitive security data without stated redaction, retention, or path controls.

User impactSensitive vulnerabilities, exploit notes, or secret references could remain on disk and later be shared, committed, or read by another process.

RecommendationWrite reports only to an approved private path, add them to ignore lists where appropriate, redact secret values, and review the report before sharing.