metrics
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Data Exposure & Exfiltration (HIGH): The skill reads sensitive Railway authentication credentials from the filesystem and transmits them to an external API.
- Evidence: The
scripts/railway-api.shscript extracts the token from~/.railway/config.jsonand uses it in acurlrequest tobackboard.railway.com. - Reasoning: Although necessary for the skill's function, accessing configuration files containing plain-text tokens and sending them to a non-whitelisted domain is a high-risk behavior (downgraded from CRITICAL because it serves the primary purpose).
- Indirect Prompt Injection (LOW): The skill processes untrusted data from API responses and CLI outputs without proper isolation markers.
- Ingestion points:
scripts/railway-api.sh(GraphQL response data) andrailway status --json. - Boundary markers: Absent. The instructions do not define clear boundaries for the agent to distinguish between system instructions and data content.
- Capability inventory: The skill is granted
Bashtool permissions, which could be leveraged if the agent follows instructions hidden in the data. - Sanitization: Uses
jqfor structured parsing, which prevents simple syntax confusion but does not validate the semantic content of the data. - Dynamic Execution (LOW): The skill utilizes bash heredocs for dynamic script generation and interpolation of user/environment variables.
- Evidence:
SKILL.mdexamples usebash <<'SCRIPT'to construct and execute command logic.
Recommendations
- AI detected serious security threats
Audit Metadata