Trust Assessment
railway-database received a trust score of 76/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 1 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Potential JSON/GraphQL Injection via unsanitized dynamic values in `railway-api.sh` calls.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential JSON/GraphQL Injection via unsanitized dynamic values in `railway-api.sh` calls The skill describes constructing GraphQL queries and JSON variable payloads for the `railway-api.sh` helper script. These payloads include dynamic values such as `PROJECT_ID`, `ENVIRONMENT_ID`, `WORKSPACE_ID`, `TEMPLATE_ID`, and `code` (for template selection). If these dynamic values are derived from untrusted user input and are directly interpolated into the JSON strings without proper escaping, it could lead to JSON injection. This, in turn, could result in GraphQL injection, allowing an attacker to manipulate GraphQL queries or variables, potentially leading to unauthorized data access, modification, or resource management within the Railway platform. Ensure all dynamic values interpolated into JSON strings for `railway-api.sh` arguments are properly JSON-escaped. Implement robust input validation and sanitization for any user-provided data used in these contexts. The `railway-api.sh` script itself should also be reviewed to ensure it safely handles its arguments and passes them to the GraphQL client. | LLM | SKILL.md:78 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| LOW | Broad `Bash(railway:*)` permission declared The skill declares `Bash(railway:*)` permission, allowing it to execute any command prefixed with `railway`. While the skill's documented functionality focuses on adding database services, this broad permission could be exploited by a malicious prompt to execute arbitrary or destructive `railway` commands (e.g., deleting projects, modifying sensitive configurations) if the agent's prompt injection defenses are insufficient. Consider narrowing the `Bash` permissions to only the specific `railway` subcommands required for the skill's intended functionality (e.g., `Bash(railway:status, railway:deploy, railway:env)`). If `railway-api.sh` is the primary interface, consider if a more granular tool definition for `railway-api.sh` could be used instead of direct `Bash` access. | LLM | Manifest | |
| INFO | Unpinned `railway-cli` dependency The `railway-cli` dependency is declared without a specific version constraint. This means that future installations or updates could pull the latest version, which might introduce breaking changes, unexpected behavior, or even malicious code if the upstream repository were compromised. Pin the `railway-cli` dependency to a specific major or minor version (e.g., `"railway-cli@^3.0.0"` or `"railway-cli@3.5.2"`) to ensure deterministic and secure installations. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/3608835033357958)
Powered by SkillShield