central-station
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill fetches and summarizes user-generated content from public threads at station-server.railway.com. Ingestion points: Content is retrieved via curl from GQL and LLM data export endpoints. Boundary markers: Absent; the agent is not instructed to treat fetched data as untrusted or wrap it in delimiters. Capability inventory: The skill allows shell commands (curl, jq), and reference files provide instructions for infrastructure modification via the Railway CLI, creating a high-privilege context. Sanitization: Absent.
- Command Execution (MEDIUM): The skill utilizes Bash(curl:) and Bash(jq:), providing the agent with broad shell execution capabilities for interacting with external APIs.
- Data Exfiltration (LOW): The skill initiates network requests to domains (railway.com) not included in the trusted whitelist as part of its core search functionality.
Recommendations
- AI detected serious security threats
Audit Metadata