environment
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted external data that could contain malicious instructions. Ingestion points: Environment configurations and rendered variables are fetched via
railway environment config --jsonandrailway variables --jsoninSKILL.md. Boundary markers: None; external data is incorporated directly into the agent context. Capability inventory: The skill can modify build/start commands, change service sources, and delete infrastructure components (isDeleted: true). Sanitization: No sanitization of ingested configuration values is performed. - [COMMAND_EXECUTION] (HIGH): The skill facilitates the configuration of
buildCommandandstartCommandthroughrailway environment edit. This allows an agent (or an attacker via injection) to execute arbitrary shell commands on Railway's build and runtime environments. - [CREDENTIALS_UNSAFE] (HIGH): The command
railway variables --jsonis used to retrieve and display sensitive, rendered secrets including API keys and database credentials, exposing them to the agent's context. - [EXTERNAL_DOWNLOADS] (LOW): The skill suggests running
railway upgradeto update the CLI tool, which involves downloading and executing binaries from Railway's servers. This is considered LOW severity under the trust-scope rule for established infrastructure tools.
Recommendations
- AI detected serious security threats
Audit Metadata