Security risk report for @forgecat/anthropics_claude-code_ralph-wiggum v0.0.3
Source Integrity
Low
Profile claims Anthropic authorship and references official Claude Code plugin repository (github.com/anthropics/claude-code).
License correctly attributes Anthropic PBC; no typosquatted or attacker-controlled dependencies injected.
Agent Intent
INT-000Medium
The ralph-loop command executes a shell script via an inline bash block (`!` syntax) using `$ARGUMENTS` directly, which could allow prompt-injection through user-supplied arguments passed unsanitized to the shell.
The profile instructs the agent to run in an unbounded loop (while-true) intercepting the Stop hook, which expands the agent's autonomous operating scope well beyond a single task — a form of self-expanding authority.
No explicit credential exfiltration, role hijacking, or system prompt leakage instructions are present; the loop logic itself is the primary concern.
commands/ralph-loop.md: 'When you try to exit, the Ralph loop will feed the SAME PROMPT back to you for the next iteration.'
Permissions
PRM-003Medium
The cancel-ralph command uses scoped Bash tools (test, rm) limited to a specific file path, which is appropriately narrow.
The ralph-loop command's allowed-tools grants execution of an arbitrary shell script (`setup-ralph-loop.sh`) with a wildcard argument pattern (`*`), which is broader than necessary and could be abused if the script content is malicious or the path is hijacked.
The static scanner flagged a Stop hook (`stop-hook.sh`) that has no declared tool match — a hook with no tool constraints could execute with unchecked authority at session termination.