Dispatchi (Ralph Loop)
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: miniade-dispatchi Version: 0.1.1 The skill is classified as suspicious due to a prompt injection vulnerability. The `scripts/run_dispatchi.sh` script constructs a `RALPH_CMD` string that includes user-provided `PROMPT` text, which is then passed to the `claude` agent. Although `shlex.quote` is used to prevent shell injection into the `python3` wrapper, the `PROMPT` itself is double-quoted within the `RALPH_CMD` string (e.g., `/ralph-loop:ralph-loop "${PROMPT}"`). This allows a malicious user to inject arbitrary arguments into the `ralph-loop` command by crafting a `PROMPT` that breaks out of the inner quotes (e.g., `foo" --evil-arg "bar`), thereby manipulating the AI agent's internal command execution. Additionally, `scripts/vendor/claude_code_run.py` includes logic to automatically bypass `claude`'s workspace trust and permission prompts, which, while configurable, reduces interactive security checks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Claude Code session may keep working in the background for a long time, making changes or consuming resources after the user has moved on.
The skill is designed to launch a separate interactive Claude Code task that continues running after the invocation returns.
Start interactive dispatch in background (non-blocking).
Install only if you want background Claude Code workers. Monitor the printed tmux session/result directory and make sure you know how to stop sessions with the documented cancel/kill flow.
A safety prompt intended to make the user confirm elevated Claude Code permissions can be accepted automatically by the skill.
The runner automatically accepts Claude Code's permissions warning when that prompt appears, including for bypass-permissions mode.
if tmux_wait_for_text(socket_path, target, "Yes, I accept", timeout_s=10):
# Select option 2 and confirm.
subprocess.run(tmux_cmd(socket_path, "send-keys", "-t", target, "2"), check=False)
subprocess.run(tmux_cmd(socket_path, "send-keys", "-t", target, "Enter"), check=False)Avoid setting DISPATCH_PERMISSION_MODE to bypassPermissions/dontAsk unless you explicitly trust the task and repository. The skill should disclose this behavior prominently and require explicit user approval for permission-bypass runs.
Depending on configuration, the background Claude Code process may run with broader edit/tool permissions than the user expects.
A local env file or OpenClaw env injection can pass arbitrary Claude Code permission modes through to the launched Claude process.
DISPATCH_PERMISSION_MODE="${DISPATCH_PERMISSION_MODE:-}"
...
if [[ -n "$DISPATCH_PERMISSION_MODE" ]]; then
CMD+=(--permission-mode "$DISPATCH_PERMISSION_MODE")
fiReview dispatch.env.local and OpenClaw env injection settings before use. Prefer restrictive Claude permission modes unless a specific task truly needs broader access.
A malformed or malicious project name could cause the skill to create directories, write result files, or run Claude Code outside the intended repository/results roots.
The user-controlled project value is used directly in filesystem paths without validation against path traversal such as ../.
PROJECT="$1"
...
WORKDIR="${REPOS_ROOT}/${PROJECT}"
mkdir -p "$WORKDIR" "$LAUNCH_LOG_DIR"
...
RESULT_DIR="$RESULTS_BASE/$PROJECT/$RUN_ID"
mkdir -p "$RESULT_DIR"Use only simple project names. The skill should validate the project argument, reject absolute/path-traversal components, and resolve paths to ensure they remain under the configured roots.
A prompt containing certain words may enable multi-agent behavior, which can increase autonomy, cost, and the amount of project context shared among agents.
The skill can enable Claude Code Agent Teams based on keywords in the prompt rather than an explicit separate user setting.
if echo "$PROMPT" | grep -Eiq '(Agent Team|Agent Teams|多智能体|并行|testing agent)'; then NEED_TEAMS=1 fi ... if [[ "$NEED_TEAMS" -eq 1 ]]; then CMD+=(--agent-teams) fi
Treat prompts containing Agent Teams/parallel-testing language as higher-impact runs. The skill should make Agent Teams opt-in and clearly disclose when it is being enabled.
Installation may appear simpler than it is, and the skill will fail or behave differently depending on local tools and PATH configuration.
The metadata declares no required binaries, while the scripts invoke external tools such as python3, tmux, jq, sha1sum, and Claude Code.
Required binaries (all must exist): none
Confirm required local tools are installed and that CLAUDE_CODE_BIN points to the expected Claude Code binary before running.