status
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): High risk of Indirect Prompt Injection due to the combination of project file ingestion and write/execute capabilities. 1. Ingestion point: The skill reads project context and status outputs to manage deployments. 2. Capability inventory: Wildcard permissions for the Railway CLI allow the agent to run 'railway environment edit' to change build/start commands or environment variables. 3. Boundary markers: None present to prevent the agent from obeying instructions embedded in project files. 4. Sanitization: None present.
- COMMAND_EXECUTION (MEDIUM): The use of Bash(railway:*) is an over-permissioned wildcard that allows the agent to perform destructive actions like deleting services or databases, far exceeding the stated purpose of monitoring status.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructions suggest performing runtime global installations (npm install -g @railway/cli) which introduces potential supply chain risks without version pinning or integrity checks.
Recommendations
- AI detected serious security threats
Audit Metadata