Trust Assessment
ralph received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 11 critical, 8 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, File read + network send exfiltration, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/monitor_build.py:24 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/monitor_build.py:38 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/run_ralph_loop.py:78 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/run_ralph_loop.py:97 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/run_ralph_loop.py:98 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/run_ralph_loop.py:157 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/init_prd.py:122 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/init_prd.py:136 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/init_prd.py:152 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/clawforgod/ralph-skill/scripts/init_prd.py:164 | |
| CRITICAL | Arbitrary command execution via 'test_command' in ralph.config.json The `run_ralph_loop.py` script executes the `test_command` from `ralph.config.json` using `subprocess.run(..., shell=True)`. Since `ralph.config.json` is user-editable and created by `init_prd.py`, an attacker who can modify this file can inject and execute arbitrary shell commands on the host system. This allows for full system compromise. Avoid `shell=True` when executing user-controlled commands. If `shell=True` is absolutely necessary, strictly validate and sanitize `test_cmd` to ensure it only contains allowed commands and arguments, or use a safer execution method that passes arguments as a list. | LLM | scripts/run_ralph_loop.py:100 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_session_status'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/ralph-skill/scripts/monitor_build.py:24 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_session_log'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/ralph-skill/scripts/monitor_build.py:38 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_loop'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/ralph-skill/scripts/run_ralph_loop.py:157 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_test'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/ralph-skill/scripts/run_ralph_loop.py:78 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'commit'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/ralph-skill/scripts/run_ralph_loop.py:97 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'commit'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/ralph-skill/scripts/run_ralph_loop.py:98 | |
| HIGH | User-controlled PRD content can inject instructions into Claude's prompt The `SKILL.md` instructs the user to pass the entire `PRD.json` content to Claude via `claude exec "Follow the RALPH BUILD LOOP. Here's the PRD: $(cat PRD.json)"`. The `PRD.json` contains user-editable fields such as `sp` (starter prompt), `ti` (task title), `d` (task description), and `ac` (acceptance criteria). An attacker who can modify `PRD.json` can inject malicious instructions into Claude's prompt, potentially manipulating its behavior or extracting information. When constructing prompts from user-controlled data, sanitize all inputs to remove or neutralize any potential instructions or directives. Consider using a structured data format for the prompt that separates instructions from data, or strictly whitelist allowed content. | LLM | SKILL.md:200 | |
| HIGH | Sensitive file contents can be exfiltrated via Claude's prompt The `run_ralph_loop.py` script's `read_file` function reads the content of a file specified by the `filepath` field in the `PRD.json`. This content is then embedded into the prompt generated by `generate_claude_prompt` and subsequently passed to Claude. An attacker who can modify `PRD.json` can set `filepath` to a sensitive system file (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), causing its contents to be read and sent to the LLM, leading to data exfiltration. Implement strict validation for `filepath` values in `PRD.json`, allowing only paths within the project directory or a predefined safe sandbox. Avoid reading arbitrary file contents and embedding them directly into prompts without sanitization or explicit user confirmation for sensitive files. | LLM | scripts/run_ralph_loop.py:140 | |
| MEDIUM | Default configuration includes '--dangerously-skip-permissions' flag for Claude Code The `ralph.config.json` file, generated by `init_prd.py`, includes `claude_code_flags: ["--dangerously-skip-permissions"]`. Additionally, the `SKILL.md` initially lists "Starts Claude Code - With `--dangerously-skip-permissions` flag" as one of "What Ralph Does". While the `SKILL.md` later advises against using this flag, its presence in the default configuration and initial description suggests a potentially dangerous mode of operation. If a user or another part of the system were to use this configuration without careful consideration, it could lead to Claude Code operating with excessive and unsafe permissions. Remove `--dangerously-skip-permissions` from the default `ralph.config.json` template. If such a flag is ever needed, it should be explicitly enabled by the user with full awareness of the risks, not included by default or suggested as a standard operation. | LLM | scripts/init_prd.py:50 |
Scan History
Embed Code
[](https://skillshield.io/report/790266045ac926fa)
Powered by SkillShield