The primary attack surface in a Ralph loop plugin is shell metacharacter injection via the user-supplied prompt. Upstream ralph-loop went through several iterations fixing this; this fork inherits the final Write → Bash(--prompt-file) contract which eliminates the shell boundary entirely — the prompt is written to a file by a tool that performs no shell interpretation, then read back by the setup script with cat.

Out-of-scope for this plugin:

• Compromise of the Claude Code binary itself.
• Compromise of the MCP servers Claude Code talks to.
• Prompt-injection attacks that manipulate the agent's behavior (not the plugin's behavior). Those are orthogonal to what this plugin does.

In-scope:

• Shell injection through --prompt-file contents.
• State-file corruption leading to arbitrary command execution via sed / awk / jq substitution (e.g., crafted frontmatter that escapes into the continuation of a pipeline).
• Denial-of-service via pathological transcript files that make the stop hook hang (we cap at 100 lines and use awk match() instead of sed -E specifically to prevent this).

Please email security-related reports to the maintainer rather than opening a public issue:

• Open an issue marked "SECURITY — please contact me privately" with no details, and the maintainer will reach out.
• Or DM on the GitHub profile linked in plugin.json.

Include:

• A short proof-of-concept (prompt, flags, observed behavior).
• The Claude Code version (claude --version).
• Your OS and bash version (bash --version).

We aim to acknowledge reports within 7 days and ship a fix within 30.

After a fix ships, the advisory and CVE (if applicable) will be published as a GitHub Security Advisory on the repository, and the CHANGELOG will be updated with a ### Security entry naming the reporter (unless they request anonymity).