projects
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Data Exposure & Exfiltration] (CRITICAL): The helper script
scripts/railway-api.shreads the sensitive configuration file~/.railway/config.jsonto retrieve the user's authentication token. This token is subsequently transmitted viacurltobackboard.railway.com. Since this domain is not included in the trusted whitelist, the behavior is classified as active exfiltration of credentials. - [Indirect Prompt Injection] (HIGH): The skill is highly susceptible to indirect prompt injection because it ingests data from external API responses (
railway list,whoami,status) and processes it without sanitization or boundary markers. - Ingestion points: API JSON data processed in
SKILL.mdandscripts/railway-api.sh. - Boundary markers: None present in the skill instructions or reference documents.
- Capability inventory: Extensive project modification capabilities, including the ability to link projects, change project visibility (
isPublic), and modify environment configurations. - Sanitization: No validation or escaping of the data extracted from API responses is performed before it is used to influence agent decisions or subsequent commands.
- [Command Execution] (HIGH): Through the manipulation of
buildCommandandstartCommandwithin theEnvironmentConfig(as detailed inreferences/environment-config.md), the skill allows for the execution of arbitrary commands on the Railway infrastructure. This high-privilege capability is a critical risk factor when combined with the lack of sanitization of external data.
Recommendations
- AI detected serious security threats
Audit Metadata