Is dorukardahan/ralph-quick safe?
https://github.com/openclaw/skills/tree/main/skills/dorukardahan/ralph-quick
ralph-quick is a well-structured, legitimate AI-assisted security scanner that performs 10 targeted checks (secrets, OWASP basics, auth, rate limiting, containers) and writes a local report. The skill contains no executable code, no prompt injection techniques, and no exfiltration endpoints, and its installation was clean with only expected GitHub network traffic. The primary risk is inherent to the tool's purpose: the mandate to scan for hardcoded secrets grants the agent implicit read access to sensitive files within the scanned project, and any discovered credentials will be consolidated in a plaintext .ralph-report.md — users should scope invocations carefully and be aware that three unreviewed higher-intensity sibling skills are promoted within the skill itself.
Category Scores
Findings (6)
LOW Sibling skills promoted but not reviewed -15 ▶
SKILL.md actively promotes three related skills with dramatically higher iteration counts (/ralph-security: 100, /ralph-ultra: 1,000, /ralph-promax: 10,000) as upgrade paths for deeper audits. These skills may have significantly different instruction sets, broader permissions, or riskier behaviors. Users who follow the upgrade path without reviewing those skills separately could be exposed to higher-risk agents.
LOW Scan report consolidates discovered secrets in plaintext -8 ▶
The skill's final step writes a full summary report to .ralph-report.md (and archives prior reports with timestamps). If the secret detection iterations find actual credentials — API keys, passwords, tokens — in the scanned project, those findings will be written to the report in plaintext. This creates a secondary exposure if the working directory is shared, version-controlled, or readable by other processes.
LOW Parameters are AI-interpreted rather than CLI-parsed -7 ▶
The skill explicitly documents that --iterations and --focus are 'AI-interpreted instructions, not parsed CLI args.' This means adversarial content embedded in a user's request or another active skill could influence the scan's scope, iteration count, or focus area in unintended ways. A strict CLI parser would reject invalid inputs; an AI interpreter will attempt to comply with injected instructions.
INFO Security scanning mandate requires reading sensitive project files -10 ▶
The skill legitimately instructs the agent to check whether .env is in .gitignore and to scan for hardcoded secrets. This is correct and expected behavior for a security audit tool. However, it means the agent will read .env files, configuration files, and any other files in the scanned directory tree. Users should ensure the agent is invoked with a well-scoped working directory and not pointed at sensitive directories outside the project.
INFO Canary credential files read-accessed during audit window -20 ▶
Filesystem inotify and auditd PATH records confirm that six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were opened and read at two points during the audit window (timestamps 1771908343 and 1771908366). File integrity was confirmed intact by the canary check. The access pattern — occurring both before skill install and in a post-install verification pass — is consistent with the oathe audit framework's own baseline collection and canary verification routines rather than skill-initiated reads.
INFO Install uses full monorepo clone with sparse checkout -8 ▶
The install script clones the entire openclaw/skills monorepo (--depth 1) and uses git sparse-checkout to extract only the target skill subdirectory. This is a standard pattern for monorepo skill distribution but means the install process briefly fetches a pack file containing all shallow objects across the monorepo before extracting the target path. This is expected behavior, not a risk, but increases install-time network footprint compared to a dedicated repo.