Ralph Ultra Security Audit
by @dorukardahan
Deep-dive security audit with 1,000 iterations (~4-8 hours). Use when user says 'deep security audit', 'ralph ultra', 'compliance audit prep', 'thorough secu...
clawhub install ralph-ultraπ About This Skill
name: ralph-ultra description: "Deep-dive security audit with 1,000 iterations (~4-8 hours). Use when user says 'deep security audit', 'ralph ultra', 'compliance audit prep', 'thorough security review', 'before major release', or 'security incident investigation'. Covers OWASP deep dive, supply chain, compliance, business logic, 4 expert personas." metadata: { "openclaw": { "emoji": "βοΈ" }, "author": "dorukardahan", "version": "2.0.0", "category": "security", "tags": ["security", "audit", "deep-dive", "compliance", "owasp"] }
Ralph Ultra β 1,000 Iterations (~4-8 hours)
Deep-dive security audit with thorough coverage across all attack vectors.
References
Instructions
Execution Engine
YOU MUST follow this loop for EVERY iteration:
1. STATE: Read current iteration (start: 1)
2. PHASE: Determine phase from iteration number
3. MIND: Activate appropriate expert persona for phase
4. ACTION: Perform ONE check from current phase
5. VERIFY: Before FAIL β read actual code, check libraries, check DB constraints, check environment. If inconclusive: NEEDS_REVIEW.
6. REPORT: Output iteration result
7. SAVE: Every 50 iterations, update .ralph-report.md
8. INCREMENT: iteration + 1
9. CONTINUE: IF iteration <= 1000 GOTO Step 1
10. FINAL: Generate comprehensive report
Critical rules:
[ULTRA-X/1000]Per-Iteration Output
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β [ULTRA-{N}/1000] Phase {P}: {phase_name} β
β Mind: {active_expert_persona} β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Check: {specific_check} β
β Target: {file:line / endpoint / system} β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Result: {PASS|FAIL|WARN|N/A} β
β Confidence: {VERIFIED|LIKELY|PATTERN_MATCH|NEEDS_REVIEW} β
β Severity: {CRITICAL|HIGH|MEDIUM|LOW|INFO} β
β CVSS: {score} β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Finding: {detailed description} β
β Exploit: {proof of concept or "N/A"} β
β Fix: {specific remediation} β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Progress: [ββββββββββββββββββββ] {N/10}% β
β Phase: {current}/{8} | ETA: ~{time} remaining β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Expert Personas
| Phase | Persona | |-------|---------| | 1, 3, 7 | Cybersecurity Veteran | | 2, 5 | Code Auditor (Pentester) | | 4 | Container Security Expert | | 6 | Dependency Hunter | | 8 | All Minds |
Full persona descriptions in references/personas.md.
Phase Structure (1,000 Iterations)
| Phase | Iterations | Focus Area | |-------|------------|------------| | 1 | 1-100 | Reconnaissance & Attack Surface | | 2 | 101-250 | OWASP Top 10 Deep Dive | | 3 | 251-400 | Authentication & Secrets | | 4 | 401-550 | Infrastructure & Containers | | 5 | 551-700 | Code Quality & Business Logic | | 6 | 701-850 | Supply Chain & Dependencies | | 7 | 851-950 | Compliance & Documentation | | 8 | 951-1000 | Final Verification & Report |
Phase 1: Reconnaissance (1-100)
Phase 2: OWASP Top 10 (101-250)
| Iter | OWASP | Focus | |------|-------|-------| | 101-120 | A01 | Broken Access Control (IDOR, CORS, path traversal) | | 121-140 | A02 | Cryptographic Failures (algorithms, keys, TLS) | | 141-170 | A03 | Injection (SQL, Command, XSS, Template, Log) | | 171-185 | A04 | Insecure Design (missing controls, business logic) | | 186-200 | A05 | Security Misconfiguration (debug, errors, headers) | | 201-215 | A06 | Vulnerable Components (dependency audit) | | 216-230 | A07 | Auth Failures (credential stuffing, sessions) | | 231-240 | A08 | Integrity Failures (deserialization, CI/CD) | | 241-245 | A09 | Logging Failures | | 246-250 | A10 | SSRF |
Phase 3: Authentication & Secrets (251-400)
Pre-check: Determine library vs custom crypto before flagging.
Phase 4: Infrastructure (401-550)
Phase 5: Code Quality (551-700)
Pre-check: Check database constraints before flagging race conditions.
Phase 6: Supply Chain (701-850)
Phase 7: Compliance (851-950)
Phase 8: Final Verification (951-1000)
Auto-Detect (Iteration 1)
1. git rev-parse --show-toplevel, git remote -v
2. Stack: package.json, pyproject.toml, requirements.txt, go.mod, Cargo.toml
3. Infra: Dockerfile, docker-compose.yml, k8s manifests, terraform
4. CI/CD: .github/workflows, .gitlab-ci.yml, .circleci
Report File
On start: rename existing report. Auto-save every 50 iterations.
Parameters
| Param | Default | Options |
|-------|---------|---------|
| --iterations | 1000 | 1-2000 |
| --focus | all | recon, owasp, auth, infra, code, supply-chain, compliance, all |
| --phase | all | 1-8 |
| --resume | β | Continue from checkpoint |
Context Limit Protocol
Checkpoint to .ralph-report.md, output resume command, wait for new session.
When to Use
/ralph-security flags issues