ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ralph Loops

v1.0.2

Runs autonomous iterative AI loops for requirements, planning, or building phases using structured prompts and fresh context per iteration.

1· 4.5k·19 current·21 all-time
by@qlifebot-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Files and SKILL.md describe an agent-loop runner and dashboard. The code calls the local 'clawdbot' gateway, the Claude CLI, reads loop state from /tmp and ~/.clawdbot, and exposes a local dashboard — these capabilities align with managing autonomous agent loops.
Instruction Scope
Runtime instructions direct the agent to start loops (node scripts), create/read /tmp prompt/state files, and archive to ~/clawd/logs/ralph-archive. The SKILL.md and SETUP.md explicitly instruct installing the Claude CLI and running node scripts. This scope is coherent, but the runtime will read user-home transcripts and temp files and instruct background process spawning; review these behaviors if you want to limit data exposure or side effects.
Install Mechanism
No install spec is embedded in the skill bundle (instruction-only installation). The dashboard uses standard npm dependencies (express, cors) declared in package.json; SETUP.md recommends installing @anthropic-ai/claude-code via npm. There are no arbitrary remote download URLs or extraction steps in the manifest.
Credentials
The skill declares no required environment variables or credentials. It uses process.env.HOME to find transcripts and writes to /tmp and ~/clawd/logs — these accesses are proportionate to a local loop monitor. No unrelated cloud keys or secrets are requested.
Persistence & Privilege
always:false and model invocation is allowed (platform default). The skill spawns background processes and includes logic to kill processes (pgrep/pkill/kill) and to write '-done' files; while this is necessary for stopping runaway loops, killing processes by pattern can affect unrelated processes if patterns collide. It does not request permanent platform-wide privileges or modify other skills' configs.
Assessment
This skill appears internally consistent for running and monitoring autonomous 'Ralph' loops, but review and accept the expected local side effects before installing: it will read transcript files under ~/.clawdbot, write state and done files in /tmp and ~/clawd/logs/ralph-archive, spawn background Claude CLI processes, and use pgrep/pkill/kill to stop loops. Recommended actions: (1) inspect scripts/scripts/ralph-loop.mjs and templates/loop.sh to confirm no unexpected network calls; (2) run in an isolated account/container or a non-production machine first; (3) back up any transcripts you don't want the skill to read; (4) note SETUP.md's recommended Claude CLI version (2.1.25) and verify compatibility; (5) be cautious about the kill logic on multi-user/shared hosts because pattern-based pgrep/pkill could match unrelated processes.

Like a lobster shell, security has layers — review code before you run it.

latestvk974jhc6k3vs32wfnv8knvxda580acb7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments