railway-sandbox
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill prompts the installation of a secondary skill via 'npx skills add https://github.com/computesdk/sandbox-skills'. The 'computesdk' organization is not a verified trusted source, creating a risk of remote code or instruction injection.
- REMOTE_CODE_EXECUTION (HIGH): The primary function is to execute arbitrary code on remote Railway environments using 'sandbox.runCode()'. This represents a significant security risk if the agent interpolates untrusted user input into these execution calls without sanitization.
- COMMAND_EXECUTION (MEDIUM): The setup process requires 'npm install' and 'npx' commands to fetch and run external packages, which can execute lifecycle scripts on the local system.
- CREDENTIALS_UNSAFE (LOW): The skill requires multiple sensitive environment variables (COMPUTESDK_API_KEY, RAILWAY_API_KEY). While only placeholders are provided, the management of these keys by an AI agent increases the risk of accidental exposure in logs or downstream tasks.
- INDIRECT PROMPT INJECTION (HIGH): (Category 8 Evaluation)
- Ingestion points: The 'runCode' method in SKILL.md accepts string data for execution.
- Boundary markers: None provided in the examples to separate trusted instructions from untrusted data.
- Capability inventory: Subprocess-like execution on remote infrastructure (runCode), project management (create/destroy).
- Sanitization: No evidence of input validation or escaping for the code strings sent to the sandbox.
Recommendations
- AI detected serious security threats
Audit Metadata