domain
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill allows the agent to modify sensitive environment configurations (including build/start commands and environment variables) based on user-controlled input without sanitization or boundary markers. Tier: HIGH (External content + write/execute capability). * Ingestion points: User instructions for domain and environment management described in SKILL.md and references/environment-config.md. * Boundary markers: Absent. * Capability inventory: Bash(railway:*) tool, specifically 'railway environment edit' which can modify all aspects of a service's lifecycle and networking. * Sanitization: Absent.
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill provides instructions for setting 'build.buildCommand' and 'deploy.startCommand' via the environment configuration. An agent following these instructions can be induced to deploy and execute arbitrary code on the Railway platform. * Evidence: references/environment-config.md details setting build/start commands and changing Docker images or Git repositories.
- [Command Execution] (MEDIUM): The skill utilizes the 'railway' CLI via Bash with broad wildcard permissions (railway:*), enabling a wide range of administrative actions that could be destructive if the agent's reasoning is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata