Ralph Ultra Security Audit

v3.0.0

Deep-dive security audit with 1,000 iterations (~4-8 hours). Use when user says 'deep security audit', 'ralph ultra', 'compliance audit prep', 'thorough secu...

0· 733· 2 versions· 0 current· 0 all-time· Updated 2h ago· MIT-0

by@dorukardahan

Security Scans

VirusTotalReview ClawScanReview Static analysisBenign

Install

openclaw skills install ralph-ultra

Ralph Ultra — 1,000 Iterations (~4-8 hours)

Deep-dive security audit with thorough coverage across all attack vectors.

References

Instructions

Execution Engine

YOU MUST follow this loop for EVERY iteration:

STATE: Read current iteration (start: 1)
PHASE: Determine phase from iteration number
MIND: Activate appropriate expert persona for phase
ACTION: Perform ONE check from current phase
VERIFY: Before FAIL — read actual code, check libraries, check DB constraints, check environment. If inconclusive: NEEDS_REVIEW.
REPORT: Output iteration result
SAVE: Every 50 iterations, update .ralph-report.md
INCREMENT: iteration + 1
CONTINUE: IF iteration <= 1000 GOTO Step 1
FINAL: Generate comprehensive report

Critical rules:

ONE check per iteration — deep, not wide
ALWAYS show [ULTRA-X/1000]
NEVER skip iterations
CRITICAL findings: immediately flag
Apply Red Team mindset to EVERY check

Per-Iteration Output

╔══════════════════════════════════════════════════════════════════╗
║ [ULTRA-{N}/1000] Phase {P}: {phase_name}                        ║
║ Mind: {active_expert_persona}                                    ║
╠══════════════════════════════════════════════════════════════════╣
║ Check: {specific_check}                                          ║
║ Target: {file:line / endpoint / system}                          ║
╠══════════════════════════════════════════════════════════════════╣
║ Result: {PASS|FAIL|WARN|N/A}                                     ║
║ Confidence: {VERIFIED|LIKELY|PATTERN_MATCH|NEEDS_REVIEW}         ║
║ Severity: {CRITICAL|HIGH|MEDIUM|LOW|INFO}                        ║
║ CVSS: {score}                                                    ║
╠══════════════════════════════════════════════════════════════════╣
║ Finding: {detailed description}                                  ║
║ Exploit: {proof of concept or "N/A"}                             ║
║ Fix: {specific remediation}                                      ║
╠══════════════════════════════════════════════════════════════════╣
║ Progress: [████████████░░░░░░░░] {N/10}%                         ║
║ Phase: {current}/{8} | ETA: ~{time} remaining                    ║
╚══════════════════════════════════════════════════════════════════╝

Expert Personas

Phase	Persona
1, 3, 7	Cybersecurity Veteran
2, 5	Code Auditor (Pentester)
4	Container Security Expert
6	Dependency Hunter
8	All Minds

Full persona descriptions in references/personas.md.

Phase Structure (1,000 Iterations)

Phase	Iterations	Focus Area
1	1-100	Reconnaissance & Attack Surface
2	101-250	OWASP Top 10 Deep Dive
3	251-400	Authentication & Secrets
4	401-550	Infrastructure & Containers
5	551-700	Code Quality & Business Logic
6	701-850	Supply Chain & Dependencies
7	851-950	Compliance & Documentation
8	951-1000	Final Verification & Report

Phase 1: Reconnaissance (1-100)

1-20: Platform sync — auto-detect stack, git sync, hash verification, environment drift
21-50: Attack surface — endpoint enumeration, auth mapping, rate limits, exposed ports, WebSocket/SSE
51-75: Hidden systems — undeclared services, cron jobs, orphan configs, Docker networks
76-100: Environment & docs — variable audit, .env drift, documentation accuracy, scoring

Phase 2: OWASP Top 10 (101-250)

Iter	OWASP	Focus
101-120	A01	Broken Access Control (IDOR, CORS, path traversal)
121-140	A02	Cryptographic Failures (algorithms, keys, TLS)
141-170	A03	Injection (SQL, Command, XSS, Template, Log)
171-185	A04	Insecure Design (missing controls, business logic)
186-200	A05	Security Misconfiguration (debug, errors, headers)
201-215	A06	Vulnerable Components (dependency audit)
216-230	A07	Auth Failures (credential stuffing, sessions)
231-240	A08	Integrity Failures (deserialization, CI/CD)
241-245	A09	Logging Failures
246-250	A10	SSRF

Phase 3: Authentication & Secrets (251-400)

Pre-check: Determine library vs custom crypto before flagging.

251-300: Secret detection (API keys, passwords, git history)
301-340: JWT security (algorithm, claims, storage, revocation)
341-365: OAuth 2.0 (PKCE, redirect URI, state, token exchange)
366-385: Admin authentication (brute force, timing, lockout)
386-400: Rate limiting (coverage, bypass)

Phase 4: Infrastructure (401-550)

401-450: Container security (non-root, readonly, capabilities, limits)
451-490: Network security (ports, firewall, isolation, egress)
491-515: TLS/SSL (cert validity, ciphers, HSTS)
516-535: SSH security (key auth, config hardening)
536-550: Database security (SSL, permissions, backups)

Phase 5: Code Quality (551-700)

Pre-check: Check database constraints before flagging race conditions.

551-590: Race conditions (TOCTOU, concurrent access, locks)
591-630: Business logic (workflow bypass, state manipulation)
631-660: Error handling (safe messages, fail-safe defaults)
661-690: Resource management (connections, memory, DoS)
691-700: Complexity attacks (ReDoS, JSON bombs)

Phase 6: Supply Chain (701-850)

701-750: Dependency audit (CVEs, outdated, typosquatting)
751-790: Third-party API security (keys, webhooks, rate limits)
791-820: Container supply chain (base images, signatures)
821-850: CI/CD security (secrets, permissions, pinned actions)

Phase 7: Compliance (851-950)

851-885: Privacy compliance (GDPR, data retention, consent)
886-915: Security documentation (incident response, policies)
916-935: Operational security (access control, change mgmt)
936-950: Audit trail (logging completeness, retention)

Phase 8: Final Verification (951-1000)

951-970: Critical findings re-verification
971-985: Penetration test simulation
986-995: Security scorecard generation
996-1000: Final report and summary

Auto-Detect (Iteration 1)

git rev-parse --show-toplevel, git remote -v
Stack: package.json, pyproject.toml, requirements.txt, go.mod, Cargo.toml
Infra: Dockerfile, docker-compose.yml, k8s manifests, terraform
CI/CD: .github/workflows, .gitlab-ci.yml, .circleci

Report File

On start: rename existing report. Auto-save every 50 iterations.

Parameters

Param	Default	Options
`--iterations`	1000	1-2000
`--focus`	all	recon, owasp, auth, infra, code, supply-chain, compliance, all
`--phase`	all	1-8
`--resume`	—	Continue from checkpoint

Context Limit Protocol

Checkpoint to .ralph-report.md, output resume command, wait for new session.

When to Use

Before major release
Compliance audit preparation
Security incident investigation
Deep dive after /ralph-security flags issues

Version tags

latestvk97cck2092aa3j2ttvm3z44hxh81ejq4

Runtime requirements

⚔️ Clawdis