Trust Assessment
railway-metrics received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Excessive Bash Permissions for Skill Scope.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Excessive Bash Permissions for Skill Scope The skill declares `Bash(railway:*)` as an allowed tool. While the skill's stated purpose is to 'Query resource usage metrics', this permission grants the ability to execute *any* command prefixed with `railway`. This includes commands that can modify, create, or delete resources (e.g., `railway deploy`, `railway service update`, `railway delete`, `railway env add`), which is far beyond the scope of merely querying metrics. This broad permission could be exploited by a malicious prompt to perform unauthorized and potentially destructive actions on the user's Railway project. Restrict the `Bash` permission to only the specific `railway` commands absolutely necessary for metrics querying, such as `railway status`. If the `railway-api.sh` script handles all API interactions, consider if a more specific permission for that script is available or if it should be a built-in tool, rather than relying on a broad `railway:*` permission. | Static | Manifest (frontmatter JSON) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned Dependency in Skill Manifest The `railway-cli` dependency is declared without a specific version. This introduces a supply chain risk as future updates to `railway-cli` could introduce breaking changes, vulnerabilities, or even malicious code without explicit review or control. Unpinned dependencies can lead to non-deterministic skill behavior and potential security issues. Pin the `railway-cli` dependency to a specific, known-good version (e.g., `"railway-cli@1.2.3"`) to ensure deterministic behavior and mitigate risks from unexpected or malicious updates. | Static | Manifest (frontmatter JSON) | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/c964857b088dfac8)
Powered by SkillShield