Ralph Loop (Agent Mode)

Guide OpenClaw agents to execute Ralph Wiggum loops using exec and process tools. Agent orchestrates coding agents (Codex, Claude Code, OpenCode, Goose) with proper TTY support via pty:true. Plans/builds code via PROMPT.md + AGENTS.md, SPECS and IMPLEMENTATION_PLAN.md. Includes PLANNING vs BUILDING modes, backpressure, sandboxing, and completion conditions. Users request loops, agents execute using tools.

This skill appears to do what it says — it teaches an OpenClaw agent how to launch and monitor interactive coding CLIs using exec + process — but there are several things to consider before installing or running it: 1. Metadata mismatch: The package/README explicitly require CLIs like opencode/codex/claude/goose, but the registry metadata you were shown said 'none' for required binaries. Confirm which CLIs are actually required and present on the host before use. 2. Review auto-approval flags: The SKILL.md references risky flags (e.g. --yolo, --dangerously-skip-permissions, --full-auto). Avoid enabling those unless you run the skill in a fully isolated sandbox and understand the consequences. 3. Sandbox and least privilege: Run initial tests in an isolated environment (container/VM) with limited network and credentials. Prefer sandboxed execution (docker/e2b/fly) as the README recommends. 4. Inspect generated prompts and files: The agent will create and cat PROMPT.md and other files into CLI commands. Prompt injection or crafted prompts could cause the coding CLI to run unintended actions. Review PROMPT.md, AGENTS.md, and command strings before allowing execution. 5. Monitor runtime and logs: Use the platform's process/exec monitoring controls and be prepared to kill sessions if behavior is unexpected. Do not give the agent access to sensitive cloud credentials or wide git permissions when testing. 6. What would change this assessment: If there were an install script that downloaded code from an untrusted host, or the skill requested unrelated credentials (AWS/GCP tokens) in its declared requirements, or the registry metadata intentionally omitted required exec/process permissions — the verdict would be higher-severity suspicious or worse. Providing explicit, consistent required-tools metadata and removing or clearly warning about permission-bypassing flags would increase my confidence to 'benign'.

Type: OpenClaw Skill Name: ralph-loop-agent Version: 1.1.0 This skill is classified as suspicious due to several high-risk capabilities. The primary concern is a clear command injection vulnerability where the content of `PROMPT.md` is directly executed as part of shell commands via `exec tool ... "$(cat PROMPT.md)"` (seen in SKILL.md and README.md). This allows a malicious user or agent to inject arbitrary commands. Additionally, the skill explicitly documents and instructs the agent to accept and use highly risky flags like `--yolo` (no sandbox) and `--dangerously-skip-permissions` (seen in SKILL.md and README.md), which can bypass critical safety mechanisms. The skill also requires broad `exec`, `process`, `file-read`, and `file-write` permissions (package.json), granting extensive control over the system.