Back to skill

Security audit

Ralph Evolver

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for code self-improvement, but it can run project-defined commands and iterative self-modification workflows that deserve careful review before use.

Install only for trusted repositories and run it in a sandbox or disposable branch/worktree. Review what commands it will run, avoid using it on untrusted projects with package scripts, check for secrets before letting repository content enter model prompts, and treat --reset and self-evolve/loop modes as high-impact actions that should be used deliberately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill metadata presents the tool as a high-level 'self-improvement engine' but omits materially important behaviors such as executing external commands, inspecting repository history, and persisting state. That mismatch can mislead users and higher-level agents into granting broader access than intended, increasing the risk of unsafe command execution, unintended data exposure, and destructive changes during autonomous runs.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill executes project-controlled commands such as `npm run build`, `npm test`, `npm run lint`, `pytest`, and `python -m py_compile` during analysis. In an untrusted repository, those commands may run attacker-supplied scripts or code paths, turning a 'thinking/improvement' skill into arbitrary code execution against the host environment.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill invokes external binaries (`git`, later also `grep`) over repository content. While these calls are less dangerous than `npm test`, they still expand the attack surface, rely on host tooling, and may process adversarial repository state or dangerous paths/symlinks in ways that exceed the stated purpose.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description uses broad activation language like 'recursive self-improvement' and 'let insights emerge' without clear scope, triggers, or operational limits. In agent environments, ambiguous framing can cause over-invocation or invocation in inappropriate contexts, especially for a skill that appears capable of iterative actions and external command execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Documenting a '--reset' capability without warning that it clears prior iteration state creates a real safety issue because users or agents may erase audit trails, rollback context, or learned safeguards unintentionally. In a recursive improvement tool, loss of state can undermine traceability and make it harder to detect bad regressions or recover from harmful autonomous changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The --reset path performs a recursive deletion of the .ralph state directory immediately when the flag is present, with no confirmation, dry-run, or secondary safeguard. Because projectPath is user-controlled and the tool is designed for iterative autonomous use, an accidental or misdirected invocation can irreversibly destroy local state and disrupt workflows.

Ssd 3

Medium
Confidence
90% confidence
Finding
The generated prompt includes raw commit history, TODOs, file structure, snippets, and context files directly from the repository. If the downstream model response is logged, sent to remote APIs, or exposed to users, this can leak sensitive source, credentials accidentally committed to docs, internal paths, or proprietary development context.

Self-Modification

High
Category
Rogue Agent
Content
"scripts": {
    "start": "node index.js",
    "evolve": "node index.js --project .",
    "self-evolve": "node index.js --project . --loop 3",
    "test": "vitest run"
  },
  "keywords": [
Confidence
94% confidence
Finding
self-evolve

Known Vulnerable Dependency: vitest==1.6.1 — 1 advisory(ies): CVE-2026-47429 (When Vitest UI server is listening, arbitrary file can be read and executed)

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
vitest==1.6.1

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
evolve.js:725