Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Ralph Loops
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is not clearly malicious, but it needs review because its dashboard can read unrelated local agent transcripts and its stop controls use broad shell commands to terminate processes.
Use this only in a trusted development environment. Before installing, be aware it can start autonomous Claude processes, read local Clawdbot session history, archive loop data, and terminate processes or sessions. Review and restrict transcript access and process-kill behavior before using it on sensitive projects.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Private conversation or task history from unrelated Clawdbot sessions may be listed or viewed through the Ralph dashboard.
Why it was flagged
The dashboard intentionally includes all available transcript sessions rather than only sessions launched by Ralph loops.
Skill content
const availableTranscripts = this.transcriptReader.getAvailableTranscripts(); ... // Add ALL transcript sessions ... // Return ALL sessions, not filtered
Recommendation
Restrict transcript collection to Ralph-created session IDs, require explicit opt-in before reading other transcripts, document the exact local paths read, and avoid displaying sensitive or thinking content unless the user requests it.
What this means
A dashboard action could potentially affect active agent sessions beyond the Ralph loop the user intended to manage.
Why it was flagged
The code uses Clawdbot gateway authority to list and abort sessions, and the visible code does not show Ralph-only scoping.
Skill content
const { stdout } = await execAsync('clawdbot gateway call status --json'); ... const command = `clawdbot gateway call chat.abort --params '{"sessionKey":"${sessionKey}"}'`;Recommendation
Filter gateway actions to sessions created by this skill, show the exact session being aborted, require confirmation, and avoid constructing gateway commands through shell interpolation.
What this means
Stopping a loop could terminate unrelated matching processes, and tampered loop state could make the shell commands unsafe.
Why it was flagged
The stop logic searches and kills processes using shell commands built from loop state values instead of using stored child PIDs or validated arguments.
Skill content
const patterns = [ sessionId, hash, loopId ].filter(Boolean); ... execSync(`pgrep -f "${pattern}" 2>/dev/null || true`); ... execSync(`kill ${pid} 2>/dev/null`); ... execSync(`pkill -f "${sessionId}" 2>/dev/null || true`);Recommendation
Store and kill exact child PIDs created by the loop runner, validate IDs strictly, avoid pgrep/pkill string matching, and use execFile/spawn with argument arrays instead of shell command strings.
What this means
Loops may continue running after the initial request and can consume tokens, CPU, or make development changes depending on the prompt.
Why it was flagged
The skill openly instructs the agent to start autonomous background loops.
Skill content
Start the loop with `node ralph-loop.mjs ...` (runs in background) ... The loop is autonomous — that's the whole point.
Recommendation
Use explicit max-iteration/time limits, monitor the dashboard, and run this only in a development workspace where autonomous changes are acceptable.
What this means
Setup changes the local toolchain and pulls third-party packages, including a global CLI downgrade/pin.
Why it was flagged
The documented setup installs a global Claude Code CLI version and dashboard npm dependencies even though no install spec is declared.
Skill content
npm install -g @anthropic-ai/claude-code@2.1.25 ... cd skills/ralph-loops/dashboard npm install
Recommendation
Install in an isolated development environment, review the package-lock and dependency provenance, and ensure the required binaries are declared in metadata.