moai-platform-railway
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection (Category 8) due to the combination of high-privilege capabilities and external data ingestion.
- Ingestion points: The skill is designed to analyze and act upon user-provided project files including
Dockerfile,railway.toml,package.json, and source code. - Boundary markers: Absent. The skill provides no instructions to the agent to treat external file content as untrusted or to ignore embedded natural language instructions.
- Capability inventory: The agent is granted permissive access to
Bash(railway:*),Bash(npm:*), andBash(docker:*). These tools can be used to execute arbitrary code, modify system state, or deploy infrastructure. - Sanitization: Absent. There is no mention of validating or escaping content from configuration files before passing them to build or deployment tools.
- [COMMAND_EXECUTION] (HIGH): The skill explicitly allows the agent to run potentially dangerous shell commands. While necessary for the stated purpose of deployment, the broad wildcard permissions (
npm:*,docker:*) allow an attacker to leverage the agent to perform actions beyond simple deployment, such as installing malicious packages or running rogue containers. - [REMOTE_CODE_EXECUTION] (MEDIUM): The documentation encourages the global installation of the Railway CLI and other tools via
npm. If an attacker can influence the environment or provide a malicious dependency list, the agent might execute arbitrary remote code during the build or deployment phase. - [CREDENTIALS_UNSAFE] (LOW): While the skill correctly uses placeholders for sensitive data (e.g.,
RAILWAY_TOKEN), the workflow involves handling high-value secrets. Without strict isolation, these secrets could be exposed via the allowed bash commands.
Recommendations
- AI detected serious security threats
Audit Metadata