railway-templates
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Prompt Injection (SAFE): No evidence of direct instructions to override agent behavior, bypass safety filters, or extract system prompts.
- Data Exposure & Exfiltration (SAFE): The skill accesses project and workspace identifiers required for infrastructure management. It does not access sensitive local files (like SSH keys or AWS credentials) or exfiltrate data to unknown domains.
- Indirect Prompt Injection (LOW): The skill possesses an attack surface for indirect prompt injection via the ingestion of marketplace data.
- Ingestion points: Fetches template metadata (name, code, description, category) through the
templatesandtemplateGraphQL queries inSKILL.md. - Boundary markers: Absent; there are no specific delimiters or instructions to the agent to disregard instructions found within the fetched metadata.
- Capability inventory: The agent can perform infrastructure changes, including deploying new services and fetching project configurations via the Railway API and CLI.
- Sanitization: No evidence of sanitization or validation of the remote metadata before it is processed by the agent.
- Command Execution (SAFE): Executes commands using
railway-cliand a local helper script${CLAUDE_PLUGIN_ROOT}/skills/lib/railway-api.sh. Command construction uses bash heredocs which is a safer pattern for variable interpolation than direct string concatenation. - Unverifiable Dependencies & Remote Code Execution (SAFE): Dependencies are restricted to the expected
railway-cli. No patterns of downloading and piping remote scripts (e.g.,curl | bash) were detected.
Audit Metadata