ClawHub

Monitored Ralph Loop

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for autonomous coding loops, but it includes high-impact defaults and setup guidance that can repeatedly run agents, commands, notifications, and persistent services with limited user gating.

Install only for isolated repositories or disposable sandboxes. Review and override RALPH_FLAGS before use, avoid Claude's default permission-skip mode unless you explicitly accept it, keep secrets out of prompts and logs, treat RALPH_TEST as arbitrary shell code, and do not run the systemd or /etc/fstab snippets unless you understand the host-level persistence they create.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is described as generating copy-paste bash scripts, but the content goes substantially further by prescribing direct execution of agent CLIs, file mutation, logging, notifications, and project-state management. That mismatch is dangerous because users or higher-level orchestration may grant it broader trust than intended, leading to autonomous code execution and persistent side effects in local repositories.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script does more than run a local agent loop: it writes detailed notification data to a file and may schedule an external OpenClaw event automatically. That creates an additional outbound control/coordination channel that can leak project metadata, logs, and task state to another orchestrator, which expands the trust boundary beyond the stated local loop behavior.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
When RALPH_FLAGS is unset and CLI=claude, the script automatically uses --dangerously-skip-permissions, disabling an important safety control without explicit user consent. In a loop that repeatedly runs an AI coding agent against the repository, this materially increases the chance of unintended file modifications, command execution, or other unsafe actions proceeding without review.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README includes copy-paste privileged commands that alter swap configuration and persist changes in /etc/fstab, but it does not clearly warn about system integrity, boot, or operational risks if misapplied. In an agent-loop skill, users may execute these commands mechanically, increasing the chance of unsafe system modification on the host.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README provides systemd installation and enablement commands that create a persistent service and auto-start behavior, but does not prominently warn that this changes long-term system behavior and may repeatedly run an autonomous coding loop. That is risky in this skill context because the service can keep restarting an agent with write capabilities after crashes or failures.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
RALPH_TEST is executed through bash -lc, so any value placed in that environment variable is treated as a shell command. While this is expected for a configurable test hook, the script presents it as a normal option without a strong warning, making accidental or unsafe command execution more likely, especially in automation contexts.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
This line hardcodes Claude's dangerous permission-bypass mode as the default behavior. Because the skill is explicitly designed to create iterative AI build loops, forcing a permission bypass in that context is especially risky: the agent is repeatedly invoked and can operate with reduced safeguards across multiple iterations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The template provides broad autonomous execution guidance for a coding agent without explicit activation constraints, approval gates, or repository-scope limits. In practice, this can cause the skill to be invoked in situations where the user did not clearly authorize multi-step code modification, testing, commits, and task progression, increasing the risk of unintended changes or overreach.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template instructs the agent to modify project state by committing changes, updating IMPLEMENTATION_PLAN.md, updating AGENTS.md, and writing notification files, but it does not present any user-facing warning that these actions will persist changes in the repository. That makes accidental or non-consensual state changes more likely, especially in agent-loop contexts where actions may be repeated automatically.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Requires git repository
- **Each `codex exec` is a fresh session** — no memory between calls
- `--full-auto`: Auto-approve in workspace (sandboxed)
- `--yolo`: No sandbox, no approvals (dangerous but fast)
- Default model: gpt-5.2-codex

### Claude Code
Confidence
90% confidence
Finding
no approval

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### Codex
- Requires git repository
- **Each `codex exec` is a fresh session** — no memory between calls
- `--full-auto`: Auto-approve in workspace (sandboxed)
- `--yolo`: No sandbox, no approvals (dangerous but fast)
- Default model: gpt-5.2-codex
Confidence
88% confidence
Finding
Auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Default model: gpt-5.2-codex

### Claude Code
- `--dangerously-skip-permissions`: Auto-approve (use in sandbox)
- No git requirement
- Each invocation is fresh
Confidence
90% confidence
Finding
Auto-approve

Tool Parameter Abuse

High
Category
Tool Misuse
Content
⚠️ **Auto-approve flags are dangerous.** Always:
1. Run in a dedicated directory/branch
2. Use a sandbox (Docker/VM) for untrusted projects
3. Have `git reset --hard` ready as escape hatch
4. Review commits before pushing

---
Confidence
84% confidence
Finding
git reset --hard

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal