database
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The file
scripts/railway-api.shprogrammatically accesses~/.railway/config.jsonto extract the Railway user authentication token. Accessing local CLI configuration files for long-lived credentials is a high-risk behavior. - [DATA_EXFILTRATION] (HIGH): The script
scripts/railway-api.shtransmits the extracted local authentication token tohttps://backboard.railway.com/graphql/v2. As this domain is not within the trusted whitelist and the action involves sending local secrets to an external endpoint, it is classified as a data exfiltration risk. - [PROMPT_INJECTION] (HIGH): The skill exhibits a significant surface for indirect prompt injection (Category 8) due to its interaction with untrusted external data.
- Ingestion points: Data enters the agent context via
railway status --jsonand the output of GraphQL queries inscripts/railway-api.sh(e.g.,templateandenvironmentConfigqueries). - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded content within the API responses.
- Capability inventory: The skill has high-privilege capabilities including infrastructure deployment (
deployTemplateV2), environment configuration modification (railway environment edit), and arbitrary bash execution. - Sanitization: Absent. The skill lacks validation or sanitization of the JSON payloads retrieved from the API before they are used to influence logic or command arguments.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on complex shell script execution via bash heredocs (
bash <<'SCRIPT'). While the use of single quotes mitigates some local shell expansion risks, the pattern allows for the execution of multi-step side effects that modify the user's cloud environment.
Recommendations
- AI detected serious security threats
Audit Metadata