Description
In plugins/ralph-wiggum/scripts/setup-ralph-loop.sh (lines 140-150), the user-provided prompt text is inserted directly into a markdown file via a heredoc without any escaping:
cat > .claude/ralph-loop.local.md <<EOF
...
$PROMPT
EOF
If the prompt contains the literal string EOF on its own line, or shell-special characters, this could cause:
- Premature heredoc termination, resulting in a truncated or malformed file
- Unexpected shell expansion of variables or commands within the prompt text
Expected Behavior
User-provided prompt text should be safely written to the file without risk of heredoc injection or shell expansion.
Suggested Fix
Use a quoted heredoc delimiter to prevent shell expansion, or write the file using printf or a similar method that does not interpret the content.
Description
In
plugins/ralph-wiggum/scripts/setup-ralph-loop.sh(lines 140-150), the user-provided prompt text is inserted directly into a markdown file via a heredoc without any escaping:If the prompt contains the literal string
EOFon its own line, or shell-special characters, this could cause:Expected Behavior
User-provided prompt text should be safely written to the file without risk of heredoc injection or shell expansion.
Suggested Fix
Use a quoted heredoc delimiter to prevent shell expansion, or write the file using printf or a similar method that does not interpret the content.