railway
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple commands through the
railwayCLI, includinginit,up,add, andvariables. It also enables high-privilege operations such asrailway sshfor remote shell access to services. - [EXTERNAL_DOWNLOADS]: The
logging-python.mdfile instructs the agent to install thepython-json-loggerpackage via theuvpackage manager, which is a standard library download from the public PyPI registry. - [DATA_EXFILTRATION]: The skill references the path
~/.railway/config.jsonto retrieve theuser.tokenfor Railway GraphQL API authentication. This constitutes access to sensitive local credentials required for deployment automation. - [PROMPT_INJECTION]: The logging framework described in
logging-python.mdintroduces a surface for indirect prompt injection by processing application-level data. 1. Ingestion points: Application log messages and metadata processed by theRailwayJsonFormatterandLoggingMiddleware. 2. Boundary markers: None defined in the implementation. 3. Capability inventory: Access to Railway authentication tokens and the ability to execute deployment and configuration commands via the CLI. 4. Sanitization: The implementation relies on standard JSON serialization without specific filtering or sanitization of untrusted input within log records.
Audit Metadata