No typosquatted, attacker-controlled, or suspicious dependencies declared.
Agent Intent
INT-000Medium
The loop mechanism instructs the agent to autonomously repeat the same prompt up to an unlimited number of iterations ('default: unlimited'), which could be exploited to run unbounded autonomous actions without user oversight.
Skills instruct the agent to write and read local state files under `.cursor/ralph/` and execute shell commands (`rm -rf .cursor/ralph`), but these are scoped to the project directory and serve the stated purpose.
No credential exfiltration, role hijacking, system prompt leakage, or guidance poisoning was detected; the guardrails section explicitly warns against false promises to escape the loop, which is a positive signal.
Details
Evidence
'--max-iterations <N> stops after N iterations (default: unlimited)'
'Stop hook intercepts exit and feeds the same prompt back' — autonomous loop without user confirmation each iteration
'rm -rf .cursor/ralph' — shell deletion instruction in cancel-ralph skill
Permissions
PRM-003Medium
The static scanner flagged two shell hook scripts (`capture-response.sh`, `stop-hook.sh`) that are referenced but not declared as formal tool categories, meaning their actual capabilities cannot be fully audited from the profile alone.
Shell hooks that fire automatically on `afterAgentResponse` and `stop` events represent implicit file-write and shell-execution authority beyond what is declared in the tool manifest.
The `cancel-ralph` skill instructs `rm -rf` on a directory, which is a file-delete operation; while scoped to `.cursor/ralph`, this is a non-trivial permission for an automated skill.