deploy

The skill SKILL.md outlines a workflow for deploying projects using various platforms. It primarily consists of instructions for running standard command-line interface (CLI) tools such as git, railway, wrangler, and bunx @opennextjs/cloudflare.

Threat Category Analysis:

1. Prompt Injection: No patterns indicative of prompt injection attempts were found in the skill's description or instructions.

2. Data Exfiltration: The skill instructs the agent to run deployment commands (railway up, wrangler deploy, git push). While these commands inherently involve network communication and access configuration files (e.g., railway.toml, wrangler.toml), they are standard tools for their respective platforms and are designed to handle authentication and secure communication. There is no direct instruction to exfiltrate sensitive files or data to arbitrary, untrusted external servers. Therefore, no direct data exfiltration finding.

3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in the skill's content.

4. Unverifiable Dependencies (MEDIUM): The skill instructs the agent to execute external tools like railway up, bunx wrangler deploy, and bunx @opennextjs/cloudflare build. The bunx and npx commands are package runners that will download and execute these tools if they are not already present. While railway and wrangler are legitimate and widely used deployment tools, and Cloudflare is a trusted organization, the skill itself does not provide the source code for these tools, nor does it ensure their integrity or verification at analysis time. The act of downloading and executing external code at runtime, even from known sources, introduces a dependency risk. This is flagged as MEDIUM severity because the skill relies on the integrity of these external binaries.

5. Privilege Escalation: No commands like sudo, chmod +x, chmod 777, or instructions for installing services or modifying system files were found.

6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying shell configurations, creating cron jobs, or systemd services) were detected.

7. Metadata Poisoning: The name, description, and user-invocable fields are benign and accurately reflect the skill's purpose.

8. Indirect Prompt Injection (INFO): The skill processes user input to determine which deployment command to execute. While the skill itself does not introduce new indirect injection vectors from external data sources (like emails or web pages), any skill that takes user input for command parameters carries a general risk of the user attempting to inject malicious commands. This is a general agent risk rather than a specific vulnerability in the skill's design.

9. Time-Delayed / Conditional Attacks: No conditional logic based on dates, usage counters, or specific environment triggers for malicious behavior was found.

Conclusion: The primary security concern is the instruction to execute external, potentially downloaded, CLI tools. While these tools are standard for deployment, their execution relies on external integrity and introduces a dependency that cannot be fully audited within the skill's own files. This leads to a MEDIUM verdict.