Security Audit

ec-ralph-loop

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

ec-ralph-loop received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 8 findings: 3 critical, 3 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Command Injection via User-Controlled Directory Path, Prompt Injection via User-Controlled PRD Content.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Filesystem Write

7 findings

Shell Execution

6 findings

Dynamic Code

5 findings

Excessive Permissions

3 findings

Security Findings8

Severity	Finding	Layer	Location
CRITICAL	Command Injection via User-Controlled Directory Path The `PROJECT_DIR` variable is directly taken from user input (`$1`) without sanitization and is used to construct `RALPH_DIR`. This `RALPH_DIR` is then used in multiple shell commands including `cd`, `mkdir -p`, `cp`, `chmod +x`, and crucially, to execute `"$RALPH_DIR/ralph.sh"`. An attacker can provide a path like `../../evil_dir` for `PROJECT_DIR`, leading to path traversal. This allows arbitrary file writes, modification of permissions on arbitrary files, and execution of an attacker-controlled script (`ralph.sh`) from an arbitrary location on the filesystem. Sanitize `PROJECT_DIR` to ensure it is a safe, relative path or canonicalize it to prevent path traversal. Consider using `readlink -f` or similar to resolve the absolute path and then validate it. Ensure that any execution of scripts from user-controlled paths is strictly prohibited or heavily sandboxed.	LLM	scripts/run-ralph.sh:18
CRITICAL	Prompt Injection via User-Controlled PRD Content The `PROMPT` variable, which is piped directly to `codex exec`, includes content from `prd.json`. The `prd.json` file is generated from user-provided markdown (via `create-prd.sh` and `convert-prd.sh`) and contains user-controlled fields like `title`, `description`, and `acceptanceCriteria`. A malicious user can craft these fields to inject instructions into the LLM's prompt, potentially manipulating its behavior, causing it to generate harmful code, or exfiltrate data. Implement robust input sanitization and validation for all user-controlled content that feeds into the LLM's prompt. Use a structured prompt template that clearly separates user input from system instructions. Consider using LLM-specific input sanitization techniques or sandboxing the LLM's execution environment.	LLM	scripts/run-ralph.sh:74
CRITICAL	Excessive Permissions Granted to LLM Agent The `codex exec` command is invoked with the `--dangerously-skip-permissions` flag. This flag explicitly disables all permission checks for the LLM agent's actions, granting it unrestricted access to the system. When combined with prompt injection vulnerabilities, this allows a malicious actor to execute arbitrary commands, read/write files anywhere, or perform other highly privileged operations through the LLM. Remove the `--dangerously-skip-permissions` flag. Implement a strict permission model for the LLM agent, granting it only the minimum necessary privileges to perform its intended tasks. Use a secure execution environment with strong sandboxing and resource limits.	LLM	scripts/run-ralph.sh:77
HIGH	Data Exfiltration via Path Traversal in Log Output The output of the `codex exec` command, which includes the LLM's responses and potentially sensitive information, is appended to `"$RALPH_DIR/progress.txt"` using `tee -a`. Since `RALPH_DIR` is constructed from user-controlled `PROJECT_DIR` without sanitization, an attacker can use path traversal (e.g., `PROJECT_DIR=../../evil_dir`) to redirect this output to an arbitrary file on the system. This could lead to exfiltration of sensitive data generated by the LLM or other system information. Sanitize `PROJECT_DIR` to prevent path traversal. Ensure that log files are written only to designated, secure directories. Implement strict access controls on log files and their directories.	LLM	scripts/run-ralph.sh:77
HIGH	Command Injection via User-Controlled Output Directory The `OUTPUT_DIR` variable is directly taken from user input (`$2`) without sanitization and is used in `mkdir -p "$OUTPUT_DIR"`, `cat > "$OUTPUT_DIR/prd.json"`, `python3 open("$OUTPUT_DIR/prd.json", 'w')`, and `cat > "$OUTPUT_DIR/progress.txt"`. An attacker can provide a path like `../evil_dir` for `OUTPUT_DIR`, leading to path traversal. This allows arbitrary file writes outside the intended skill directory, which can be used for privilege escalation or to disrupt system operations. Sanitize `OUTPUT_DIR` to ensure it is a safe, relative path or canonicalize it to prevent path traversal. Validate that the resolved path remains within the expected skill directory before performing file operations.	LLM	scripts/convert-prd.sh:7
HIGH	Data Exfiltration via Path Traversal in Status Check The `PROJECT_DIR` variable is directly taken from user input (`$1`) without sanitization and is used to construct `PRD_FILE` and the path for `tail`. An attacker can provide a path like `../../evil_dir` for `PROJECT_DIR`, leading to path traversal. This allows the `jq` and `tail` commands to read arbitrary files on the system, potentially exfiltrating sensitive information from outside the intended project directory. Sanitize `PROJECT_DIR` to ensure it is a safe, relative path or canonicalize it to prevent path traversal. Validate that the resolved path remains within the expected skill directory before performing file read operations.	LLM	scripts/status.sh:6
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/henrino3/ec-ralph-loop/SKILL.md:1
MEDIUM	Prompt Injection via PRD Description The `DESCRIPTION` argument, provided by the user, is directly embedded into the generated PRD markdown file (`tasks/$FILENAME`). This markdown file is later read by `convert-prd.sh` and its content (or derived content) is used to construct prompts for an LLM. A malicious `DESCRIPTION` could contain instructions intended to manipulate the LLM's behavior during subsequent steps of the Ralph loop. Sanitize or escape user-provided `DESCRIPTION` before embedding it into the PRD markdown, especially if the markdown is intended to be processed by an LLM. Clearly delineate user input from system instructions in the LLM prompt to prevent injection.	LLM	scripts/create-prd.sh:21

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/39472ef10cac8aed.svg)](https://skillshield.io/report/39472ef10cac8aed)