use-railway

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill tells the agent to fetch S3 credentials (railway bucket credentials --json) and to set variables using inline forms like railway variable set KEY=value, which requires copying secret values verbatim into commands/output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill’s references/request.md explicitly instructs the agent to fetch and read community threads from Railway’s Central Station (e.g., curl calls to station-server.railway.com and station.railway.com thread URLs) and the scripts/railway-api.sh shows querying backboard.railway.com, so the agent is expected to ingest untrusted, user-generated public content that can influence operational decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs runtime installation using fetch-and-execute commands that run remote scripts (e.g., bash <(curl -fsSL cli.new) and curl -fsSL https://railway.com/install.sh | sh), so these URLs fetch and execute remote code the skill relies on.