ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ralph Loop (Agent Mode)

v1.1.0

Guide OpenClaw agents to execute Ralph Wiggum loops using exec and process tools. Agent orchestrates coding agents (Codex, Claude Code, OpenCode, Goose) with proper TTY support via pty:true. Plans/builds code via PROMPT.md + AGENTS.md, SPECS and IMPLEMENTATION_PLAN.md. Includes PLANNING vs BUILDING modes, backpressure, sandboxing, and completion conditions. Users request loops, agents execute using tools.

0· 2.7k·12 current·12 all-time
byAddo.Zhang@addozhang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's README and package.json clearly describe launching interactive coding CLIs (opencode, codex, claude, goose, pi) and requiring exec/process/file-read/file-write permissions — which fits the stated purpose. However the registry metadata shown to you earlier lists no required binaries or env vars, which contradicts the package.json and SKILL.md. That mismatch (no declared required CLIs in the registry view vs. explicit tool requirements in the files) should be resolved before trusting the skill.
!
Instruction Scope
The SKILL.md instructs agents to construct and exec arbitrary CLI command strings built from PROMPT.md and project files and to run background interactive sessions with pty:true. This is functionally coherent for an orchestrator, but the instructions also promote using auto-approval flags (e.g. --yolo, --dangerously-skip-permissions) and running arbitrary tests/commits. Those bits broaden the agent's runtime discretion and enable bypassing sandbox/permission checks — a real risk if misused or combined with malicious prompts or untrusted repos.
Install Mechanism
This is instruction-only (no install spec and no code files to execute on install), which is the lowest install risk. Nothing in the bundle downloads or writes code at install time.
Credentials
The skill doesn't request environment variables or credentials from the registry metadata, and package.json lists only tool and permission requirements (exec/process/file-read/file-write), which are consistent with running CLIs and manipulating project files. However the skill will read and write workspace files (PROMPT.md, AGENTS.md, IMPLEMENTATION_PLAN.md, project files) and will execute arbitrary CLI commands which can access network services or local credentials. The absence of declared required credentials is not an assurance that sensitive data won't be accessed during runs — the agent's runtime commands could touch cloud CLIs or git remotes.
Persistence & Privilege
always:false and no install-time persistence are set; the skill is user-invocable and relies on agent tools at runtime. It does not request force-inclusion or system-wide configuration changes in the provided materials.
What to consider before installing
This skill appears to do what it says — it teaches an OpenClaw agent how to launch and monitor interactive coding CLIs using exec + process — but there are several things to consider before installing or running it: 1. Metadata mismatch: The package/README explicitly require CLIs like opencode/codex/claude/goose, but the registry metadata you were shown said 'none' for required binaries. Confirm which CLIs are actually required and present on the host before use. 2. Review auto-approval flags: The SKILL.md references risky flags (e.g. --yolo, --dangerously-skip-permissions, --full-auto). Avoid enabling those unless you run the skill in a fully isolated sandbox and understand the consequences. 3. Sandbox and least privilege: Run initial tests in an isolated environment (container/VM) with limited network and credentials. Prefer sandboxed execution (docker/e2b/fly) as the README recommends. 4. Inspect generated prompts and files: The agent will create and cat PROMPT.md and other files into CLI commands. Prompt injection or crafted prompts could cause the coding CLI to run unintended actions. Review PROMPT.md, AGENTS.md, and command strings before allowing execution. 5. Monitor runtime and logs: Use the platform's process/exec monitoring controls and be prepared to kill sessions if behavior is unexpected. Do not give the agent access to sensitive cloud credentials or wide git permissions when testing. 6. What would change this assessment: If there were an install script that downloaded code from an untrusted host, or the skill requested unrelated credentials (AWS/GCP tokens) in its declared requirements, or the registry metadata intentionally omitted required exec/process permissions — the verdict would be higher-severity suspicious or worse. Providing explicit, consistent required-tools metadata and removing or clearly warning about permission-bypassing flags would increase my confidence to 'benign'.

Like a lobster shell, security has layers — review code before you run it.

latestvk9791380adwhbksfkd4sazetad80mrcx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments