Ralph Loops
WarnAudited by ClawScan on May 10, 2026.
Overview
Ralph Loops is coherent for autonomous Claude loops, but it needs review because its dashboard broadly reads local Clawdbot transcripts and uses unsafe shell-based session/process controls.
Install only if you are comfortable running autonomous Claude loops that may modify a project and consume tokens. Use a clean repo/branch, keep the dashboard on localhost, avoid exposing it on a network, review or patch the shell-based kill commands, and be aware that the dashboard can read broader Clawdbot transcript history than just Ralph loop logs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A dashboard action could stop unrelated Clawdbot sessions, not just Ralph loop workers.
The dashboard treats non-subagent sessions as active, returns all sessions, and has an abort command by session key. That is broader than Ralph-loop-only control and lacks visible validation that the target belongs to this skill.
if (!session.key?.includes('subagent')) { return true; } ... // Return ALL sessions, not filtered ... const command = `clawdbot gateway call chat.abort --params '{"sessionKey":"${sessionKey}"}'`;Limit dashboard controls to Ralph-owned loop session IDs, validate session keys, show a clear confirmation, and avoid raw shell gateway commands where possible.
Stopping a loop could accidentally terminate unrelated processes, and a locally tampered Ralph state file could turn the shell command into a command-injection path.
The kill path reads Ralph state from /tmp and interpolates session/state-derived values into shell commands. Without escaping or argument arrays, a crafted value could alter the shell command or kill unintended matching processes.
const TEMP_DIR = '/tmp'; ... const patterns = [sessionId, hash, loopId] ... execSync(`pgrep -f "${pattern}" 2>/dev/null || true`); ... execSync(`kill ${pid} 2>/dev/null`);Use spawn/execFile with argument arrays, strictly validate session IDs and PIDs, avoid pgrep/pkill pattern matching, and store state in a less tamper-prone per-user directory.
The local dashboard may surface unrelated historical conversations and sensitive agent context while the user expects a Ralph-loop-only monitor.
The loop dashboard intentionally aggregates all available Clawdbot transcript sessions, not only Ralph loop transcripts. Those transcripts can contain private prompts, outputs, tool results, and reasoning context.
const availableTranscripts = this.transcriptReader.getAvailableTranscripts(); ... // Add ALL transcript sessions (not just ones with sessionKey in file) ... // Return ALL sessions, not filtered
Filter transcript access to Ralph-created sessions by label/session metadata, disclose exactly what transcript paths are read, and add an option to disable transcript viewing.
A loop may keep running until its max iterations, done condition, or kill signal is reached.
Autonomous background operation is disclosed and central to the skill, but it is still high-impact behavior because it can continue working, spending tokens, and modifying a project after the initial request.
The loop is autonomous ... Start the loop with `node ralph-loop.mjs ...` (runs in background) ... Or spawn as sub-agent for long-running tasks
Run loops only on explicit user request, set conservative max/time limits, use a clean branch or disposable worktree, and monitor the dashboard.
Installing the skill may change the user’s global Claude Code version and install dashboard dependencies.
The setup requires manual global and local npm package installation even though the registry says there is no install spec. The steps are purpose-aligned, but they add normal package supply-chain trust considerations.
npm install -g @anthropic-ai/claude-code@2.1.25 ... cd skills/ralph-loops/dashboard npm install
Review the package sources, prefer the included lockfile for dashboard dependencies, and avoid running setup commands in privileged shells.