Trust Assessment
ralph-loops received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 10 findings: 4 critical, 1 high, 3 medium, and 1 low severity. Key findings include Missing required field: name, Unpinned npm dependency version, Command Injection via --check-cmd argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via --check-cmd argument The `ralph-loop.mjs` script directly executes the value of the `--check-cmd` argument using `execSync`. An attacker could provide a malicious string to `--check-cmd` containing shell metacharacters (e.g., `; rm -rf /`) to execute arbitrary commands on the host system. Sanitize or validate the `--check-cmd` argument to ensure it does not contain shell metacharacters. Alternatively, use `child_process.spawn` with an array of arguments and `shell: false` to prevent shell interpretation, or implement a whitelist of allowed commands. | LLM | scripts/ralph-loop.mjs:204 | |
| CRITICAL | Command Injection via `clawdbot` arguments in `spawn` The `ralph-loop.mjs` script constructs the `clawdbotCmd` string using user-controlled arguments such as `sessionId`, `thinking`, and `modelArg`. This string is then executed via `child_process.spawn` with `shell: true`. If any of these user-controlled arguments contain shell metacharacters (e.g., `'; rm -rf /'`), they can lead to arbitrary command execution on the host system. Refactor the `clawdbot` command execution to use `child_process.spawn` with an array of arguments and `shell: false`. This prevents shell interpretation of the arguments. Ensure all user-controlled inputs are passed as separate arguments in the array and are not concatenated into a single command string. | LLM | scripts/ralph-loop.mjs:319 | |
| CRITICAL | Excessive Permissions: `--dangerously-skip-permissions` flag used Both `scripts/ralph-loop.mjs` and `templates/loop.sh` explicitly use the `--dangerously-skip-permissions` flag when invoking the `clawdbot agent` or `claude` CLI. This flag bypasses the agent's internal security mechanisms, allowing it to execute arbitrary commands or access files without explicit user confirmation. This significantly increases the blast radius in case of a prompt injection or command injection vulnerability. Remove the `--dangerously-skip-permissions` flag. Implement a more granular permission system or require explicit user confirmation for sensitive operations. If autonomous operation is critical, ensure the execution environment is strictly sandboxed (e.g., Docker, VM) and has minimal access to host resources. | LLM | scripts/ralph-loop.mjs:315 | |
| CRITICAL | Excessive Permissions: `--dangerously-skip-permissions` flag used in loop.sh Both `scripts/ralph-loop.mjs` and `templates/loop.sh` explicitly use the `--dangerously-skip-permissions` flag when invoking the `clawdbot agent` or `claude` CLI. This flag bypasses the agent's internal security mechanisms, allowing it to execute arbitrary commands or access files without explicit user confirmation. This significantly increases the blast radius in case of a prompt injection or command injection vulnerability. Remove the `--dangerously-skip-permissions` flag. Implement a more granular permission system or require explicit user confirmation for sensitive operations. If autonomous operation is critical, ensure the execution environment is strictly sandboxed (e.g., Docker, VM) and has minimal access to host resources. | LLM | templates/loop.sh:77 | |
| HIGH | Command Injection via `kill -9` in `ralph-reader.mjs` The `killLoop` function in `dashboard/lib/ralph-reader.mjs` constructs a shell command `kill -9 ${pid}` where `pid` is retrieved from a state file based on a user-provided `loopId`. While `pid` is expected to be numeric, if a non-numeric or malicious value were somehow stored in the state file (e.g., due to a prior compromise or bug), it could lead to arbitrary command execution. The `loopId` itself is from `req.params.id` in the API route, which is user-controlled. Ensure that the `pid` variable is strictly validated as a numeric process ID before being used in a shell command. Consider using `process.kill()` directly in Node.js instead of `execSync` to avoid shell interpretation, or pass the PID as a separate argument to `spawn` with `shell: false`. | LLM | dashboard/lib/ralph-reader.mjs:204 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/qlifebot-coder/ralph-loops/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency 'express' is not pinned to an exact version ('^4.18.2'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/qlifebot-coder/ralph-loops/dashboard/package.json | |
| MEDIUM | Unpinned Dependencies in package.json The `dashboard/package.json` file uses caret (`^`) ranges for `express` and `cors` dependencies. This means that `npm install` could fetch new minor or patch versions automatically, which might introduce breaking changes, vulnerabilities, or unexpected behavior without explicit review. While `package-lock.json` pins versions, the `package.json` still indicates a lack of strict pinning. Pin dependencies to exact versions (e.g., `"express": "4.18.2"`) to ensure deterministic builds and prevent unexpected updates. Use a tool like `npm shrinkwrap` or manually update `package.json` to exact versions after verifying dependencies. | LLM | dashboard/package.json:10 | |
| LOW | Potential Data Exfiltration via Command Injection While no direct data exfiltration code is present, the critical command injection vulnerabilities identified in `scripts/ralph-loop.mjs` (via `--check-cmd` and `clawdbotCmd` arguments) and the excessive permissions granted by `--dangerously-skip-permissions` create a credible exploit path for data exfiltration. An attacker could leverage these vulnerabilities to execute commands that read sensitive files (e.g., from `process.env.HOME` or other directories) and send them to an external server. Address the underlying command injection and excessive permissions vulnerabilities. Implement strict input validation and sanitization for all user-controlled arguments. Run the skill in a highly restricted and isolated environment (e.g., Docker container with minimal bind mounts and network access) to limit the impact of any potential data exfiltration attempts. | LLM | scripts/ralph-loop.mjs:204 | |
| INFO | CORS enabled for all origins in Dashboard The `dashboard/server.mjs` explicitly enables Cross-Origin Resource Sharing (CORS) for all origins (`app.use(cors());`). While this might be intended for a local development dashboard, it removes a layer of defense against cross-site request forgery (CSRF) or other cross-origin attacks if other vulnerabilities exist. For a production-facing dashboard, this would be a higher severity issue. If the dashboard is not intended to be accessed from arbitrary origins, configure CORS to restrict access to a specific whitelist of trusted origins. For a local-only dashboard, ensure it's not exposed to the public internet. | LLM | dashboard/server.mjs:12 |
Scan History
Embed Code
[](https://skillshield.io/report/6ec0012815cf9330)
Powered by SkillShield