# Send Ralph Ultra Security Audit to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "ralph-ultra", "name": "Ralph Ultra Security Audit", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/dorukardahan/ralph-ultra", "canonicalUrl": "https://clawhub.ai/dorukardahan/ralph-ultra", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/ralph-ultra", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=ralph-ultra", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md", "references/personas.md", "references/severity-guide.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/ralph-ultra" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/ralph-ultra", "downloadUrl": "https://openagent3.xyz/downloads/ralph-ultra", "agentUrl": "https://openagent3.xyz/skills/ralph-ultra/agent", "manifestUrl": "https://openagent3.xyz/skills/ralph-ultra/agent.json", "briefUrl": "https://openagent3.xyz/skills/ralph-ultra/agent.md" } } ``` ## Documentation ### Ralph Ultra — 1,000 Iterations (~4-8 hours) Deep-dive security audit with thorough coverage across all attack vectors. ### References Severity and triage guidance Expert persona descriptions ### Execution Engine YOU MUST follow this loop for EVERY iteration: STATE: Read current iteration (start: 1) PHASE: Determine phase from iteration number MIND: Activate appropriate expert persona for phase ACTION: Perform ONE check from current phase VERIFY: Before FAIL — read actual code, check libraries, check DB constraints, check environment. If inconclusive: NEEDS_REVIEW. REPORT: Output iteration result SAVE: Every 50 iterations, update .ralph-report.md INCREMENT: iteration + 1 CONTINUE: IF iteration <= 1000 GOTO Step 1 FINAL: Generate comprehensive report Critical rules: ONE check per iteration — deep, not wide ALWAYS show [ULTRA-X/1000] NEVER skip iterations CRITICAL findings: immediately flag Apply Red Team mindset to EVERY check ### Per-Iteration Output ╔══════════════════════════════════════════════════════════════════╗ ║ [ULTRA-{N}/1000] Phase {P}: {phase_name} ║ ║ Mind: {active_expert_persona} ║ ╠══════════════════════════════════════════════════════════════════╣ ║ Check: {specific_check} ║ ║ Target: {file:line / endpoint / system} ║ ╠══════════════════════════════════════════════════════════════════╣ ║ Result: {PASS|FAIL|WARN|N/A} ║ ║ Confidence: {VERIFIED|LIKELY|PATTERN_MATCH|NEEDS_REVIEW} ║ ║ Severity: {CRITICAL|HIGH|MEDIUM|LOW|INFO} ║ ║ CVSS: {score} ║ ╠══════════════════════════════════════════════════════════════════╣ ║ Finding: {detailed description} ║ ║ Exploit: {proof of concept or "N/A"} ║ ║ Fix: {specific remediation} ║ ╠══════════════════════════════════════════════════════════════════╣ ║ Progress: [████████████░░░░░░░░] {N/10}% ║ ║ Phase: {current}/{8} | ETA: ~{time} remaining ║ ╚══════════════════════════════════════════════════════════════════╝ ### Expert Personas PhasePersona1, 3, 7Cybersecurity Veteran2, 5Code Auditor (Pentester)4Container Security Expert6Dependency Hunter8All Minds Full persona descriptions in references/personas.md. ### Phase Structure (1,000 Iterations) PhaseIterationsFocus Area11-100Reconnaissance & Attack Surface2101-250OWASP Top 10 Deep Dive3251-400Authentication & Secrets4401-550Infrastructure & Containers5551-700Code Quality & Business Logic6701-850Supply Chain & Dependencies7851-950Compliance & Documentation8951-1000Final Verification & Report ### Phase 1: Reconnaissance (1-100) 1-20: Platform sync — auto-detect stack, git sync, hash verification, environment drift 21-50: Attack surface — endpoint enumeration, auth mapping, rate limits, exposed ports, WebSocket/SSE 51-75: Hidden systems — undeclared services, cron jobs, orphan configs, Docker networks 76-100: Environment & docs — variable audit, .env drift, documentation accuracy, scoring ### Phase 2: OWASP Top 10 (101-250) IterOWASPFocus101-120A01Broken Access Control (IDOR, CORS, path traversal)121-140A02Cryptographic Failures (algorithms, keys, TLS)141-170A03Injection (SQL, Command, XSS, Template, Log)171-185A04Insecure Design (missing controls, business logic)186-200A05Security Misconfiguration (debug, errors, headers)201-215A06Vulnerable Components (dependency audit)216-230A07Auth Failures (credential stuffing, sessions)231-240A08Integrity Failures (deserialization, CI/CD)241-245A09Logging Failures246-250A10SSRF ### Phase 3: Authentication & Secrets (251-400) Pre-check: Determine library vs custom crypto before flagging. 251-300: Secret detection (API keys, passwords, git history) 301-340: JWT security (algorithm, claims, storage, revocation) 341-365: OAuth 2.0 (PKCE, redirect URI, state, token exchange) 366-385: Admin authentication (brute force, timing, lockout) 386-400: Rate limiting (coverage, bypass) ### Phase 4: Infrastructure (401-550) 401-450: Container security (non-root, readonly, capabilities, limits) 451-490: Network security (ports, firewall, isolation, egress) 491-515: TLS/SSL (cert validity, ciphers, HSTS) 516-535: SSH security (key auth, config hardening) 536-550: Database security (SSL, permissions, backups) ### Phase 5: Code Quality (551-700) Pre-check: Check database constraints before flagging race conditions. 551-590: Race conditions (TOCTOU, concurrent access, locks) 591-630: Business logic (workflow bypass, state manipulation) 631-660: Error handling (safe messages, fail-safe defaults) 661-690: Resource management (connections, memory, DoS) 691-700: Complexity attacks (ReDoS, JSON bombs) ### Phase 6: Supply Chain (701-850) 701-750: Dependency audit (CVEs, outdated, typosquatting) 751-790: Third-party API security (keys, webhooks, rate limits) 791-820: Container supply chain (base images, signatures) 821-850: CI/CD security (secrets, permissions, pinned actions) ### Phase 7: Compliance (851-950) 851-885: Privacy compliance (GDPR, data retention, consent) 886-915: Security documentation (incident response, policies) 916-935: Operational security (access control, change mgmt) 936-950: Audit trail (logging completeness, retention) ### Phase 8: Final Verification (951-1000) 951-970: Critical findings re-verification 971-985: Penetration test simulation 986-995: Security scorecard generation 996-1000: Final report and summary ### Auto-Detect (Iteration 1) git rev-parse --show-toplevel, git remote -v Stack: package.json, pyproject.toml, requirements.txt, go.mod, Cargo.toml Infra: Dockerfile, docker-compose.yml, k8s manifests, terraform CI/CD: .github/workflows, .gitlab-ci.yml, .circleci ### Report File On start: rename existing report. Auto-save every 50 iterations. ### Parameters ParamDefaultOptions--iterations10001-2000--focusallrecon, owasp, auth, infra, code, supply-chain, compliance, all--phaseall1-8--resume—Continue from checkpoint ### Context Limit Protocol Checkpoint to .ralph-report.md, output resume command, wait for new session. ### When to Use Before major release Compliance audit preparation Security incident investigation Deep dive after /ralph-security flags issues ## Trust - Source: tencent - Verification: Indexed source record - Publisher: dorukardahan - Version: 3.0.0 ## Source health - Status: healthy - Source download looks usable. - Yavira can redirect you to the upstream package for this source. - Health scope: source - Reason: direct_download_ok - Checked at: 2026-04-23T16:43:11.935Z - Expires at: 2026-04-30T16:43:11.935Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/ralph-ultra) - [Send to Agent page](https://openagent3.xyz/skills/ralph-ultra/agent) - [JSON manifest](https://openagent3.xyz/skills/ralph-ultra/agent.json) - [Markdown brief](https://openagent3.xyz/skills/ralph-ultra/agent.md) - [Download page](https://openagent3.xyz/downloads/ralph-ultra)