Ralph Evolver
ReviewAudited by ClawScan on May 10, 2026.
Overview
Ralph Evolver appears to be a disclosed local project-analysis and improvement-prompt generator, with noteworthy local command execution, recursive loop/spawn options, and local state reuse but no artifact-backed evidence of hidden exfiltration or destructive behavior.
Install only if you want a local project-analysis tool that generates recursive improvement prompts. Run it on trusted repositories, review each generated prompt before allowing file changes, keep loop counts limited, and inspect or reset the .ralph directory if you do not want prior run history reused.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will execute local analysis commands in the selected project, which may reveal project details to the agent prompt and could behave unexpectedly on untrusted repositories.
The skill invokes local command-line tools to collect repository context. This is purpose-aligned, but it means the skill is not purely instructional or passive.
const { execFileSync } = require('child_process'); ... execFileSync('git', ['diff', '--stat', 'HEAD~1', '--', '.'], { cwd: this.projectPath, encoding: 'utf-8', timeout: 5000 })Use it only on trusted project directories and review the generated prompt before allowing the agent to act on it.
Prior local history can influence future improvement prompts; if the .ralph history is inaccurate or tampered with, it could steer the agent's next actions.
The skill persists improvement history locally and later reuses descriptions and insights in generated prompts.
this.historyFile = path.join(projectPath, '.ralph', 'improvements.json'); ... if (h.insight) line += `\n 💡 ${h.insight}`;Inspect or reset the .ralph directory when switching projects or when generated guidance seems unexpected.
If used carelessly, repeated improvement cycles could lead the agent to keep proposing or applying changes beyond what the user initially intended.
The skill explicitly supports repeated cycles and session-spawn-oriented prompt output for recursive improvement workflows.
--spawn Output prompt for sessions_spawn ... console.log(`\n⚠️ Use --spawn flag with sessions_spawn to continue the loop.`);
Keep loop counts small, require human review between cycles, and avoid enabling recursive changes in sensitive repositories without clear rollback plans.
Users have less external context for confirming who maintains the skill or whether the uploaded code matches an upstream project.
The registry metadata does not provide a clear upstream source or homepage for independently verifying the package provenance.
Source: unknown; Homepage: none
Review the included files before use and prefer installing skills from sources with clear provenance.