{ "schemaVersion": "1.0", "item": { "slug": "ralph-ultra", "name": "Ralph Ultra Security Audit", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/dorukardahan/ralph-ultra", "canonicalUrl": "https://clawhub.ai/dorukardahan/ralph-ultra", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/ralph-ultra", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=ralph-ultra", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "references/personas.md", "references/severity-guide.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/ralph-ultra" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/ralph-ultra", "agentPageUrl": "https://openagent3.xyz/skills/ralph-ultra/agent", "manifestUrl": "https://openagent3.xyz/skills/ralph-ultra/agent.json", "briefUrl": "https://openagent3.xyz/skills/ralph-ultra/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Ralph Ultra — 1,000 Iterations (~4-8 hours)", "body": "Deep-dive security audit with thorough coverage across all attack vectors." }, { "title": "References", "body": "Severity and triage guidance\nExpert persona descriptions" }, { "title": "Execution Engine", "body": "YOU MUST follow this loop for EVERY iteration:\n\nSTATE: Read current iteration (start: 1)\nPHASE: Determine phase from iteration number\nMIND: Activate appropriate expert persona for phase\nACTION: Perform ONE check from current phase\nVERIFY: Before FAIL — read actual code, check libraries, check DB constraints, check environment. If inconclusive: NEEDS_REVIEW.\nREPORT: Output iteration result\nSAVE: Every 50 iterations, update .ralph-report.md\nINCREMENT: iteration + 1\nCONTINUE: IF iteration <= 1000 GOTO Step 1\nFINAL: Generate comprehensive report\n\nCritical rules:\n\nONE check per iteration — deep, not wide\nALWAYS show [ULTRA-X/1000]\nNEVER skip iterations\nCRITICAL findings: immediately flag\nApply Red Team mindset to EVERY check" }, { "title": "Per-Iteration Output", "body": "╔══════════════════════════════════════════════════════════════════╗\n║ [ULTRA-{N}/1000] Phase {P}: {phase_name} ║\n║ Mind: {active_expert_persona} ║\n╠══════════════════════════════════════════════════════════════════╣\n║ Check: {specific_check} ║\n║ Target: {file:line / endpoint / system} ║\n╠══════════════════════════════════════════════════════════════════╣\n║ Result: {PASS|FAIL|WARN|N/A} ║\n║ Confidence: {VERIFIED|LIKELY|PATTERN_MATCH|NEEDS_REVIEW} ║\n║ Severity: {CRITICAL|HIGH|MEDIUM|LOW|INFO} ║\n║ CVSS: {score} ║\n╠══════════════════════════════════════════════════════════════════╣\n║ Finding: {detailed description} ║\n║ Exploit: {proof of concept or \"N/A\"} ║\n║ Fix: {specific remediation} ║\n╠══════════════════════════════════════════════════════════════════╣\n║ Progress: [████████████░░░░░░░░] {N/10}% ║\n║ Phase: {current}/{8} | ETA: ~{time} remaining ║\n╚══════════════════════════════════════════════════════════════════╝" }, { "title": "Expert Personas", "body": "PhasePersona1, 3, 7Cybersecurity Veteran2, 5Code Auditor (Pentester)4Container Security Expert6Dependency Hunter8All Minds\n\nFull persona descriptions in references/personas.md." }, { "title": "Phase Structure (1,000 Iterations)", "body": "PhaseIterationsFocus Area11-100Reconnaissance & Attack Surface2101-250OWASP Top 10 Deep Dive3251-400Authentication & Secrets4401-550Infrastructure & Containers5551-700Code Quality & Business Logic6701-850Supply Chain & Dependencies7851-950Compliance & Documentation8951-1000Final Verification & Report" }, { "title": "Phase 1: Reconnaissance (1-100)", "body": "1-20: Platform sync — auto-detect stack, git sync, hash verification, environment drift\n21-50: Attack surface — endpoint enumeration, auth mapping, rate limits, exposed ports, WebSocket/SSE\n51-75: Hidden systems — undeclared services, cron jobs, orphan configs, Docker networks\n76-100: Environment & docs — variable audit, .env drift, documentation accuracy, scoring" }, { "title": "Phase 2: OWASP Top 10 (101-250)", "body": "IterOWASPFocus101-120A01Broken Access Control (IDOR, CORS, path traversal)121-140A02Cryptographic Failures (algorithms, keys, TLS)141-170A03Injection (SQL, Command, XSS, Template, Log)171-185A04Insecure Design (missing controls, business logic)186-200A05Security Misconfiguration (debug, errors, headers)201-215A06Vulnerable Components (dependency audit)216-230A07Auth Failures (credential stuffing, sessions)231-240A08Integrity Failures (deserialization, CI/CD)241-245A09Logging Failures246-250A10SSRF" }, { "title": "Phase 3: Authentication & Secrets (251-400)", "body": "Pre-check: Determine library vs custom crypto before flagging.\n\n251-300: Secret detection (API keys, passwords, git history)\n301-340: JWT security (algorithm, claims, storage, revocation)\n341-365: OAuth 2.0 (PKCE, redirect URI, state, token exchange)\n366-385: Admin authentication (brute force, timing, lockout)\n386-400: Rate limiting (coverage, bypass)" }, { "title": "Phase 4: Infrastructure (401-550)", "body": "401-450: Container security (non-root, readonly, capabilities, limits)\n451-490: Network security (ports, firewall, isolation, egress)\n491-515: TLS/SSL (cert validity, ciphers, HSTS)\n516-535: SSH security (key auth, config hardening)\n536-550: Database security (SSL, permissions, backups)" }, { "title": "Phase 5: Code Quality (551-700)", "body": "Pre-check: Check database constraints before flagging race conditions.\n\n551-590: Race conditions (TOCTOU, concurrent access, locks)\n591-630: Business logic (workflow bypass, state manipulation)\n631-660: Error handling (safe messages, fail-safe defaults)\n661-690: Resource management (connections, memory, DoS)\n691-700: Complexity attacks (ReDoS, JSON bombs)" }, { "title": "Phase 6: Supply Chain (701-850)", "body": "701-750: Dependency audit (CVEs, outdated, typosquatting)\n751-790: Third-party API security (keys, webhooks, rate limits)\n791-820: Container supply chain (base images, signatures)\n821-850: CI/CD security (secrets, permissions, pinned actions)" }, { "title": "Phase 7: Compliance (851-950)", "body": "851-885: Privacy compliance (GDPR, data retention, consent)\n886-915: Security documentation (incident response, policies)\n916-935: Operational security (access control, change mgmt)\n936-950: Audit trail (logging completeness, retention)" }, { "title": "Phase 8: Final Verification (951-1000)", "body": "951-970: Critical findings re-verification\n971-985: Penetration test simulation\n986-995: Security scorecard generation\n996-1000: Final report and summary" }, { "title": "Auto-Detect (Iteration 1)", "body": "git rev-parse --show-toplevel, git remote -v\nStack: package.json, pyproject.toml, requirements.txt, go.mod, Cargo.toml\nInfra: Dockerfile, docker-compose.yml, k8s manifests, terraform\nCI/CD: .github/workflows, .gitlab-ci.yml, .circleci" }, { "title": "Report File", "body": "On start: rename existing report. Auto-save every 50 iterations." }, { "title": "Parameters", "body": "ParamDefaultOptions--iterations10001-2000--focusallrecon, owasp, auth, infra, code, supply-chain, compliance, all--phaseall1-8--resume—Continue from checkpoint" }, { "title": "Context Limit Protocol", "body": "Checkpoint to .ralph-report.md, output resume command, wait for new session." }, { "title": "When to Use", "body": "Before major release\nCompliance audit preparation\nSecurity incident investigation\nDeep dive after /ralph-security flags issues" } ], "body": "Ralph Ultra — 1,000 Iterations (~4-8 hours)\n\nDeep-dive security audit with thorough coverage across all attack vectors.\n\nReferences\nSeverity and triage guidance\nExpert persona descriptions\nInstructions\nExecution Engine\n\nYOU MUST follow this loop for EVERY iteration:\n\nSTATE: Read current iteration (start: 1)\nPHASE: Determine phase from iteration number\nMIND: Activate appropriate expert persona for phase\nACTION: Perform ONE check from current phase\nVERIFY: Before FAIL — read actual code, check libraries, check DB constraints, check environment. If inconclusive: NEEDS_REVIEW.\nREPORT: Output iteration result\nSAVE: Every 50 iterations, update .ralph-report.md\nINCREMENT: iteration + 1\nCONTINUE: IF iteration <= 1000 GOTO Step 1\nFINAL: Generate comprehensive report\n\nCritical rules:\n\nONE check per iteration — deep, not wide\nALWAYS show [ULTRA-X/1000]\nNEVER skip iterations\nCRITICAL findings: immediately flag\nApply Red Team mindset to EVERY check\nPer-Iteration Output\n╔══════════════════════════════════════════════════════════════════╗\n║ [ULTRA-{N}/1000] Phase {P}: {phase_name} ║\n║ Mind: {active_expert_persona} ║\n╠══════════════════════════════════════════════════════════════════╣\n║ Check: {specific_check} ║\n║ Target: {file:line / endpoint / system} ║\n╠══════════════════════════════════════════════════════════════════╣\n║ Result: {PASS|FAIL|WARN|N/A} ║\n║ Confidence: {VERIFIED|LIKELY|PATTERN_MATCH|NEEDS_REVIEW} ║\n║ Severity: {CRITICAL|HIGH|MEDIUM|LOW|INFO} ║\n║ CVSS: {score} ║\n╠══════════════════════════════════════════════════════════════════╣\n║ Finding: {detailed description} ║\n║ Exploit: {proof of concept or \"N/A\"} ║\n║ Fix: {specific remediation} ║\n╠══════════════════════════════════════════════════════════════════╣\n║ Progress: [████████████░░░░░░░░] {N/10}% ║\n║ Phase: {current}/{8} | ETA: ~{time} remaining ║\n╚══════════════════════════════════════════════════════════════════╝\n\nExpert Personas\nPhase\tPersona\n1, 3, 7\tCybersecurity Veteran\n2, 5\tCode Auditor (Pentester)\n4\tContainer Security Expert\n6\tDependency Hunter\n8\tAll Minds\n\nFull persona descriptions in references/personas.md.\n\nPhase Structure (1,000 Iterations)\nPhase\tIterations\tFocus Area\n1\t1-100\tReconnaissance & Attack Surface\n2\t101-250\tOWASP Top 10 Deep Dive\n3\t251-400\tAuthentication & Secrets\n4\t401-550\tInfrastructure & Containers\n5\t551-700\tCode Quality & Business Logic\n6\t701-850\tSupply Chain & Dependencies\n7\t851-950\tCompliance & Documentation\n8\t951-1000\tFinal Verification & Report\nPhase 1: Reconnaissance (1-100)\n1-20: Platform sync — auto-detect stack, git sync, hash verification, environment drift\n21-50: Attack surface — endpoint enumeration, auth mapping, rate limits, exposed ports, WebSocket/SSE\n51-75: Hidden systems — undeclared services, cron jobs, orphan configs, Docker networks\n76-100: Environment & docs — variable audit, .env drift, documentation accuracy, scoring\nPhase 2: OWASP Top 10 (101-250)\nIter\tOWASP\tFocus\n101-120\tA01\tBroken Access Control (IDOR, CORS, path traversal)\n121-140\tA02\tCryptographic Failures (algorithms, keys, TLS)\n141-170\tA03\tInjection (SQL, Command, XSS, Template, Log)\n171-185\tA04\tInsecure Design (missing controls, business logic)\n186-200\tA05\tSecurity Misconfiguration (debug, errors, headers)\n201-215\tA06\tVulnerable Components (dependency audit)\n216-230\tA07\tAuth Failures (credential stuffing, sessions)\n231-240\tA08\tIntegrity Failures (deserialization, CI/CD)\n241-245\tA09\tLogging Failures\n246-250\tA10\tSSRF\nPhase 3: Authentication & Secrets (251-400)\n\nPre-check: Determine library vs custom crypto before flagging.\n\n251-300: Secret detection (API keys, passwords, git history)\n301-340: JWT security (algorithm, claims, storage, revocation)\n341-365: OAuth 2.0 (PKCE, redirect URI, state, token exchange)\n366-385: Admin authentication (brute force, timing, lockout)\n386-400: Rate limiting (coverage, bypass)\nPhase 4: Infrastructure (401-550)\n401-450: Container security (non-root, readonly, capabilities, limits)\n451-490: Network security (ports, firewall, isolation, egress)\n491-515: TLS/SSL (cert validity, ciphers, HSTS)\n516-535: SSH security (key auth, config hardening)\n536-550: Database security (SSL, permissions, backups)\nPhase 5: Code Quality (551-700)\n\nPre-check: Check database constraints before flagging race conditions.\n\n551-590: Race conditions (TOCTOU, concurrent access, locks)\n591-630: Business logic (workflow bypass, state manipulation)\n631-660: Error handling (safe messages, fail-safe defaults)\n661-690: Resource management (connections, memory, DoS)\n691-700: Complexity attacks (ReDoS, JSON bombs)\nPhase 6: Supply Chain (701-850)\n701-750: Dependency audit (CVEs, outdated, typosquatting)\n751-790: Third-party API security (keys, webhooks, rate limits)\n791-820: Container supply chain (base images, signatures)\n821-850: CI/CD security (secrets, permissions, pinned actions)\nPhase 7: Compliance (851-950)\n851-885: Privacy compliance (GDPR, data retention, consent)\n886-915: Security documentation (incident response, policies)\n916-935: Operational security (access control, change mgmt)\n936-950: Audit trail (logging completeness, retention)\nPhase 8: Final Verification (951-1000)\n951-970: Critical findings re-verification\n971-985: Penetration test simulation\n986-995: Security scorecard generation\n996-1000: Final report and summary\nAuto-Detect (Iteration 1)\ngit rev-parse --show-toplevel, git remote -v\nStack: package.json, pyproject.toml, requirements.txt, go.mod, Cargo.toml\nInfra: Dockerfile, docker-compose.yml, k8s manifests, terraform\nCI/CD: .github/workflows, .gitlab-ci.yml, .circleci\nReport File\n\nOn start: rename existing report. Auto-save every 50 iterations.\n\nParameters\nParam\tDefault\tOptions\n--iterations\t1000\t1-2000\n--focus\tall\trecon, owasp, auth, infra, code, supply-chain, compliance, all\n--phase\tall\t1-8\n--resume\t—\tContinue from checkpoint\nContext Limit Protocol\n\nCheckpoint to .ralph-report.md, output resume command, wait for new session.\n\nWhen to Use\nBefore major release\nCompliance audit preparation\nSecurity incident investigation\nDeep dive after /ralph-security flags issues" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/dorukardahan/ralph-ultra", "publisherUrl": "https://clawhub.ai/dorukardahan/ralph-ultra", "owner": "dorukardahan", "version": "3.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/ralph-ultra", "downloadUrl": "https://openagent3.xyz/downloads/ralph-ultra", "agentUrl": "https://openagent3.xyz/skills/ralph-ultra/agent", "manifestUrl": "https://openagent3.xyz/skills/ralph-ultra/agent.json", "briefUrl": "https://openagent3.xyz/skills/ralph-ultra/agent.md" } }