Trust Assessment
ralph-loop received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Node lockfile missing, Command Injection via PROMPT.md content in exec tool, Instruction to use sandbox-bypassing flags (`--yolo`, `--dangerously-skip-permissions`).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via PROMPT.md content in exec tool The skill explicitly instructs the agent to execute shell commands using the `exec` tool, where the content of `PROMPT.md` is directly interpolated into the command string via `"$(cat PROMPT.md)"`. If `PROMPT.md` can be influenced by untrusted user input (e.g., the user-provided `<goal>` or other referenced files), a malicious user could inject arbitrary shell commands, leading to remote code execution within the agent's environment. This dangerous pattern is explicitly shown in the 'Agent Tool Usage Patterns' and 'CLI Command Reference' sections as the core mechanism for agent operation. Implement strict sanitization or escaping of all untrusted input before it is written to `PROMPT.md` and subsequently used in shell commands. Alternatively, use a safer method for passing prompt content to the coding agents (e.g., via stdin, temporary files, or direct API calls) that avoids shell interpolation. | LLM | SKILL.md:50 | |
| HIGH | Instruction to use sandbox-bypassing flags (`--yolo`, `--dangerously-skip-permissions`) The skill explicitly lists `--yolo` (for Codex) and `--dangerously-skip-permissions` (for Claude) as 'Optional' auto-approval flags, noting that `--yolo` means 'no sandbox!'. By instructing the agent to accept and use these flags based on user input, the skill enables a user to bypass critical security safeguards, allowing the underlying coding agent to execute code without sandboxing. This significantly increases the risk of arbitrary code execution, data exfiltration, or system compromise if the coding agent is compromised or acts maliciously. Modify the skill to explicitly disallow or ignore `--yolo` and `--dangerously-skip-permissions` flags. Ensure that the agent's execution environment always enforces strict sandboxing, regardless of flags passed to the underlying coding agents. | LLM | SKILL.md:170 | |
| MEDIUM | Broad `exec`, `file-read`, and `file-write` permissions requested The `package.json` manifest requests broad `exec`, `file-read`, and `file-write` permissions. While these are necessary for the skill's intended functionality (orchestrating coding agents, reading/writing plan files), their combination, especially when coupled with the identified command injection vulnerability, creates a high-risk scenario. An attacker exploiting the command injection could leverage these permissions to read sensitive files, write malicious code, or execute arbitrary commands. Implement strict sandboxing and least-privilege principles for the agent's execution environment. Review if all `file-read` and `file-write` operations are strictly necessary and confined to specific directories. Ensure that the `exec` tool is used with extreme caution and that all inputs to executed commands are thoroughly sanitized and escaped. | LLM | package.json:40 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/addozhang/ralph-loop-agent/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/94170cf9753005e6)
Powered by SkillShield