Skills
skills/railwayapp/railway-skills/templates/Gen Agent Trust Hub

templates

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection because it processes untrusted data from the Railway Template Marketplace (names, descriptions, and configurations) and has the power to execute deployments.
  • Ingestion points: scripts/railway-api.sh fetches data from the templates and template GraphQL queries.
  • Boundary markers: Absent. There are no delimiters or instructions to help the agent distinguish between skill instructions and data returned from the API.
  • Capability inventory: The skill can perform the templateDeployV2 mutation, creating and configuring live services in the user's Railway account.
  • Sanitization: Absent. The data is processed as raw strings or JSON objects.
  • [Credentials Access] (HIGH): The helper script scripts/railway-api.sh reads the Railway authentication token directly from ~/.railway/config.json. This grants the skill (and the agent) full administrative access to the user's Railway account.
  • [Command Execution] (MEDIUM): The skill makes extensive use of local shell execution via the bash <<'SCRIPT' pattern to run the railway CLI and custom scripts. While functional, this provides a significant attack surface if the agent is manipulated into injecting malicious commands into the heredoc blocks.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 08:28 PM