Trust Assessment
ralph-operations received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via Unsanitized Arguments in Shell Commands, Excessive Permissions via 'ralph loops attach' and Destructive Commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Unsanitized Arguments in Shell Commands The skill documentation provides numerous shell command examples that include placeholders for dynamic input (e.g., '<id>', '<loop-id>', 'your prompt'). If an AI agent directly interpolates untrusted user input into these command arguments without proper sanitization or validation, it creates a high risk of command injection. An attacker could craft malicious input to execute arbitrary commands on the host system, delete files, or gain unauthorized access. Specific examples include `ralph loops stop <id>`, `ralph loops attach <id>`, `ralph run -p "your prompt"`, `git worktree remove .worktrees/<id> --force`, and the `<loop-id>` within the `echo` command for `merge-queue.jsonl`. AI agents utilizing this skill must implement strict input validation and sanitization for all user-provided arguments before constructing and executing shell commands. Arguments should be properly escaped or passed as distinct parameters to a safe command execution function (e.g., `subprocess.run` with `shell=False` in Python) to prevent shell metacharacter interpretation. Additionally, consider restricting the scope of commands an agent can execute based on its role and the sensitivity of the operation. | LLM | SKILL.md:20 | |
| MEDIUM | Excessive Permissions via 'ralph loops attach' and Destructive Commands The skill exposes powerful commands that, if misused, could lead to significant system impact. The `ralph loops attach <id>` command explicitly allows 'shelling into a worktree', granting potentially broad access within that environment. Furthermore, commands such as `rm .ralph/loop.lock`, `ralph clean --diagnostics`, and `git worktree remove .worktrees/<id> --force` provide capabilities to delete files and directories. While intended for system management, if these commands are invoked inappropriately (e.g., deleting critical files or accessing unauthorized worktrees), they could lead to unauthorized data deletion, denial of service, or unintended shell access, impacting system integrity or availability. Implement strict access controls and input validation for commands that grant shell access or perform destructive operations. Ensure that the agent's execution environment is sandboxed or has minimal necessary permissions. For `ralph loops attach`, confirm the `<id>` refers to an authorized and intended worktree. For deletion commands, require explicit confirmation or restrict their use to privileged contexts and ensure the agent's decision-making process is robust against misinterpretation. | LLM | SKILL.md:49 |
Scan History
Embed Code
[](https://skillshield.io/report/55d66d02d051f7b1)
Powered by SkillShield