agent-factory
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs the user to provide sensitive environment variables, including
RAILWAY_TOKEN,AUTH_TOKEN(Twitter), andCT0(Twitter), which are required for the automated deployment and discovery steps. - [COMMAND_EXECUTION]: The pipeline constructs shell commands using data sourced from untrusted external inputs. Specifically, the agent name and API endpoints are derived from social media searches (
bird search) and web results, then used in commands such asgh repo create <user>/<agent-name>,railway add -s <agent-name>, andrailway up. This pattern lacks sanitization and creates a significant surface for command injection. - [EXTERNAL_DOWNLOADS]: The skill uses
curlto interact with arbitrary endpoints discovered viaweb_search. This presents a risk of Server-Side Request Forgery (SSRF) or the ingestion of malicious content from attacker-controlled servers. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a large attack surface for indirect prompt injection.
- Ingestion points: Data enters via
bird searchandweb_searchin Step 1 and Step 3. - Boundary markers: None are present to distinguish between instructions and data.
- Capability inventory: The skill has access to shell execution (
gh,railway,curl,ls,head), file system access, and network operations. - Sanitization: There is no evidence of validation or escaping for the external content before it is processed or used in shell commands.
- [PERSISTENCE]: The documentation provides a cron configuration (
0 * * * *) to establish a persistent, recurring execution of the full agent creation and deployment pipeline.
Audit Metadata