Is hsssgdtc/ralph-evolver safe?

https://github.com/openclaw/skills/tree/main/skills/hsssgdtc/ralph-evolver

71
CAUTION

Ralph-evolver is a legitimate recursive code-improvement CLI tool with no direct malicious code, no install hooks, no hidden network exfiltration, and a clean install process. However, it carries meaningful operational risk: it unconditionally executes npm and pytest scripts in any target project it analyzes, includes unsanitized project file content (including CLAUDE.md) verbatim in LLM prompts creating prompt injection relay risk, and supports an autonomous self-modification loop that could persist agent-driven changes to its own source code. Canary credential files were accessed twice during monitoring but timing and the 'intact' report indicate this was the audit infrastructure's own baseline and teardown checks, not the skill.

Category Scores

Prompt Injection 77/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 62/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 65/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (7)

HIGH Executes arbitrary npm/pytest scripts in target project -30

checkNodeJS() calls execFileSync('npm', ['run', 'build'/'test'/'lint']) and checkPython() calls pytest in the user-supplied projectPath. Any project with malicious test or build scripts will execute that code with the invoking user's privileges when ralph-evolver analyzes it.

HIGH Self-modifying LLM loop with no human review gate -20

The DISCOVER prompt explicitly instructs the LLM agent to edit evolve.js. The --loop N flag repeats this N times autonomously. A successful prompt injection via project files would cause the agent to write persistent malicious code into the skill's own source, surviving future sessions.

MEDIUM Unsanitized project file content injected into LLM prompt -23

getProjectContext() reads CLAUDE.md, README.md, and SKILL.md from the target project verbatim and splices them into the evolution prompt. A malicious repo's CLAUDE.md or README.md could contain LLM directives that hijack agent behavior during analysis.

MEDIUM Sensitive project data exposed in generated prompts and stdout -32

The skill reads git history, TODO comments, error patterns, and source file structures and writes them into the LLM prompt. The --spawn flag writes the full prompt to stdout. This can expose secrets in commit messages, internal API patterns, or credentials embedded in source comments.

MEDIUM Canary credential files opened and read during monitoring window -35

inotify and auditd both record OPEN+ACCESS events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud credentials at 13:27:45 and again at 13:27:62. The audit system reports 'intact', and timing analysis indicates these accesses originate from audit infrastructure's own canary baseline and teardown checks (the skill was never executed during monitoring). Risk is lower but the read events are documented.

LOW ImprovementTracker writes LLM-controlled data into target project -20

The skill writes .ralph/improvements.json into the target project directory. This file is later read back and included in subsequent prompts. An attacker who controls the target project could pre-seed this file with crafted 'insights' to influence future LLM behavior.

LOW Install traffic limited to expected GitHub endpoints -12

All network activity during install resolves to GitHub (140.82.121.3) and Canonical/Ubuntu background services (185.125.188.57, 185.125.190.18). No suspicious C2 domains, no data exfiltration endpoints, no new listeners created.