service
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The helper script
scripts/railway-api.shaccesses the local Railway configuration file at~/.railway/config.jsonto extract the user's plaintext authentication token (.user.token). This token is then used as a Bearer token in subsequent API calls. - [COMMAND_EXECUTION] (HIGH): The skill provides the ability to modify
buildCommand,startCommand, andcronSchedulevia theenvironmentskill andrailway environment edit. Because these commands are eventually executed on Railway's infrastructure, an attacker utilizing indirect prompt injection could execute arbitrary code in the deployment environment. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection due to its core purpose of processing user-provided configuration for service deployment.
- Ingestion points: User-provided service names, image names, icons, and configuration values in
SKILL.mdandreferences/environment-config.md. - Boundary markers: Absent. There are no instructions or delimiters to prevent the agent from interpreting embedded instructions within user data.
- Capability inventory: The skill can execute GraphQL mutations (
scripts/railway-api.sh) and modify project environment settings (railway environment edit), which are high-privilege operations. - Sanitization: Absent. User input is directly interpolated into commands and configuration payloads without validation.
- [DATA_EXPOSURE] (LOW): Sensitive tokens are transmitted to
https://backboard.railway.com/graphql/v2. While this is the legitimate Railway API endpoint, the exposure of the token from the local filesystem to the agent's process is a risk factor.
Recommendations
- AI detected serious security threats
Audit Metadata