deploy-railway
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill directs the agent to read sensitive local files (
.env.production) and pipe them into an external CLI. It also retrieves sensitive database connection strings (railway variables get DATABASE_URL), which could lead to unauthorized exposure of production secrets.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill performs global installation of the@railway/clipackage from npm. This is an unverifiable dependency that executes with the privileges of the agent's environment.\n- [COMMAND_EXECUTION] (MEDIUM): The skill makes extensive use of theBashtool to run CLI operations and arbitrary project scripts (e.g.,railway run npm run migrate), creating a significant attack surface for command injection if inputs are not strictly controlled.\n- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). \n - Ingestion points: The agent uses
Read,Glob, andGrepto process local repository files and configuration.\n - Boundary markers: Absent.\n
- Capability inventory: High-risk capabilities including
Bashtool execution and file modification.\n - Sanitization: None.\n
- Risk: An attacker could place malicious instructions in the repository's source code or build configuration which, when read by the agent during the deployment process, could hijack the
Bashtool to perform unauthorized actions or exfiltrate the.envdata.
Recommendations
- AI detected serious security threats
Audit Metadata