Back to skill

Security audit

Ralph Loops

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed autonomous development loop tool, but it needs review because it can run Claude without permission prompts, push changes to git remotes, and expose broad local process/session controls.

Install only in an isolated development workspace with a disposable branch and limited credentials. Review or disable automatic git push, avoid using --check-cmd with untrusted input, do not run the dashboard on a shared network, and expect the loop to edit files, run commands, consume API budget, and keep running until stopped.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill repeatedly encourages running an autonomous build loop that can edit files, run commands, and make commits, while the nearby quick-start/build examples do not consistently foreground those side effects. In a skill specifically designed for unattended iteration, under-warning users about destructive or persistent changes materially increases the chance of accidental repository modification and unsafe execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code exposes a destructive operation that aborts a session immediately, with no built-in confirmation, authorization check, or safety interlock in this method. In a dashboard/loop-management context, this increases the chance of accidental or unintended termination of active work, and if an attacker can influence the caller or the session key, it can be used to disrupt service or destroy in-progress agent state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The killLoop method performs destructive actions by terminating processes matched via pgrep/pkill and writing a done marker file, but it contains no authorization, confirmation, or safety validation in this code path. This is dangerous because a caller who can invoke this method with a chosen loopId may stop active jobs and, due to broad pattern-based process matching, potentially terminate unintended processes that merely contain the sessionId/hash in their command line.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script executes the user-supplied --check-cmd string via execSync, which invokes a shell. That creates a real command-injection surface because any untrusted or accidentally unsafe input passed to this option will run with the script's privileges, and the script does not constrain, validate, or sandbox it. In this skill's context, the tool already launches an agent with dangerous permissions, so adding arbitrary pre-iteration shell execution materially increases the risk of destructive local command execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prompt explicitly instructs the agent to run `git push`, which can publish code and repository history to a remote without any explicit user confirmation or safety gate. In an agent skill, automatic remote publication is dangerous because it can leak sensitive code, propagate unintended changes, or push malicious edits if the agent is compromised or misled.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically performs `git push` after every iteration, which transmits local changes to a remote without per-iteration user approval. Because the loop also runs an agent with broad autonomy, this can exfiltrate unintended, sensitive, or maliciously modified content to a remote repository and make accidental publication persistent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script invokes `claude` with `--dangerously-skip-permissions`, explicitly disabling permission checks and auto-approving all tool calls in headless mode. In this context, that gives the model broad ability to execute file, shell, and potentially network-affecting actions without human review, substantially increasing the risk from prompt injection, bad instructions, or model error.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The template instructs the agent to run `./loop.sh plan` and `./loop.sh build` based on trigger phrases, but it does not require a clear confirmation or safety warning immediately before executing shell commands. In an agent skill, embedding operational commands into conversational flow increases the risk of unintended command execution from ambiguous user input or prompt injection through quoted text.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dashboard/lib/ralph-reader.mjs:202

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/ralph-loop.mjs:256