Trust Assessment
ralph received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 21 findings: 12 critical, 8 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, File read + network send exfiltration, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings21
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/monitor_build.py:24 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/monitor_build.py:38 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/run_ralph_loop.py:78 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/run_ralph_loop.py:97 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/run_ralph_loop.py:98 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/run_ralph_loop.py:157 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/init_prd.py:122 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/init_prd.py:136 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/init_prd.py:152 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/voice-devotional/ralph-skill/scripts/init_prd.py:164 | |
| CRITICAL | Command Injection via user-controlled `test_command` The `run_ralph_loop.py` script executes the `test_command` from `ralph.config.json` using `subprocess.run(test_cmd, shell=True)`. Since `ralph.config.json` is user-controlled (generated by `ralph init` and editable by the user), an attacker can inject arbitrary shell commands into the `test_command` field. This allows for remote code execution on the host system with the privileges of the skill. Do not use `shell=True` with user-controlled input. Instead, parse the command and its arguments, and pass them as a list to `subprocess.run()`. If `shell=True` is strictly necessary, implement robust input validation and sanitization for `test_command` to prevent arbitrary command execution. | LLM | scripts/run_ralph_loop.py:100 | |
| CRITICAL | Default configuration enables `--dangerously-skip-permissions` The `init_prd.py` script, when initializing a new project, defaults the `claude_code_flags` in `ralph.config.json` to `["--dangerously-skip-permissions"]`. The `run_ralph_loop.py` script then uses these flags when invoking `claude exec`. This bypasses the host LLM's security prompts and grants broad, unconfirmed execution permissions to the Claude Code agent, significantly increasing the attack surface and risk of unauthorized actions. This directly contradicts the `SKILL.md`'s explicit advice against using this flag. Remove `"--dangerously-skip-permissions"` from the default `CONFIG_TEMPLATE` in `init_prd.py`. The skill should rely on the host LLM's permission system for all operations, requiring explicit user confirmation for potentially dangerous actions. | LLM | scripts/init_prd.py:105 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_session_status'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/ralph-skill/scripts/monitor_build.py:24 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_session_log'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/ralph-skill/scripts/monitor_build.py:38 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_loop'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/ralph-skill/scripts/run_ralph_loop.py:157 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_test'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/ralph-skill/scripts/run_ralph_loop.py:78 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'commit'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/ralph-skill/scripts/run_ralph_loop.py:97 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'commit'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/ralph-skill/scripts/run_ralph_loop.py:98 | |
| HIGH | User-controlled PRD content injected into LLM prompt The `generate_claude_prompt` function in `run_ralph_loop.py` constructs the prompt for `claude exec` using various fields from the `PRD.json` (e.g., task title, description, acceptance criteria). Since the PRD is user-controlled, a malicious user can inject instructions into these fields to manipulate the Claude Code LLM, potentially leading to unintended actions, data exfiltration, or further compromise of the agent's behavior. Implement strict sanitization and escaping of all user-controlled content before embedding it into the LLM prompt. Consider using a templating engine that automatically escapes variables, or explicitly mark user input as non-instructional to the LLM to prevent prompt injection. | LLM | scripts/run_ralph_loop.py:167 | |
| HIGH | Automatic Git push can exfiltrate sensitive data The `run_ralph_loop.py` script includes logic to automatically `git push` to a remote repository if GitHub integration is enabled (`self.prd.get("gh")`). While the skill emphasizes the use of `.gitignore`, there's no guarantee that all sensitive data will be excluded, especially if the `.gitignore` is incomplete or if the agent is explicitly instructed to commit sensitive files. Automatic pushing of potentially sensitive project files to a public or unauthorized remote repository constitutes a significant data exfiltration risk. Require explicit user confirmation before performing `git push` operations, especially for initial pushes or pushes to new remotes. Implement stricter checks to ensure no sensitive files are staged or committed. Educate users about the risks of committing sensitive data to version control. | LLM | scripts/run_ralph_loop.py:221 | |
| MEDIUM | Example prompt encourages direct inclusion of file content The `SKILL.md` provides an example command: `claude exec "Follow the RALPH BUILD LOOP. Here's the PRD: $(cat PRD.json)"`. This pattern directly embeds the entire content of `PRD.json` into the LLM's prompt. If `PRD.json` contains sensitive information (e.g., API keys, internal project details, or other confidential data), this practice could lead to its exfiltration if the LLM is manipulated to output or process this sensitive data inappropriately. Advise users against including raw file content directly in prompts, especially for files that might contain sensitive information. Instead, suggest summarizing or redacting sensitive parts, or using secure methods for providing context to the LLM. | LLM | SKILL.md:275 |
Scan History
Embed Code
[](https://skillshield.io/report/9a3d7fd706e1b928)
Powered by SkillShield