Trust Assessment
railway-new received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 4 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Unsanitized user input in `railway init` command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsanitized user input in `railway init` command The skill instructs the agent to use user-provided project names directly in `railway init -n <name>` without specifying any sanitization. An attacker could inject shell metacharacters (e.g., `;`, `&`, `|`, `` ` ``, `$()`) into the project name, leading to arbitrary command execution on the host system when the agent constructs and executes the shell command. Instruct the agent to sanitize or escape user-provided project names before incorporating them into shell commands. For example, use a library function to escape shell arguments or validate input against a strict whitelist of allowed characters. | LLM | SKILL.md:129 | |
| HIGH | Unsanitized user input in `railway link` command The skill instructs the agent to use user-provided project names or IDs directly in `railway link -p <project>` without specifying any sanitization. An attacker could inject shell metacharacters into the project identifier, leading to arbitrary command execution on the host system when the agent constructs and executes the shell command. Instruct the agent to sanitize or escape user-provided project identifiers before incorporating them into shell commands. | LLM | SKILL.md:154 | |
| HIGH | Unsanitized user input in `railway add --service` command The skill instructs the agent to use user-provided service names directly in `railway add --service <name>` without specifying any sanitization. An attacker could inject shell metacharacters into the service name, leading to arbitrary command execution on the host system when the agent constructs and executes the shell command. Instruct the agent to sanitize or escape user-provided service names before incorporating them into shell commands. | LLM | SKILL.md:170 | |
| HIGH | Unsanitized user input in `jq` filter for workspace matching The skill instructs the agent to construct a `jq` command using user-provided workspace names (e.g., 'personal', 'my-team') within the `test()` function. If the user input is directly inserted into the `jq` filter string without proper shell escaping, an attacker could inject shell metacharacters, breaking out of the `jq` command and executing arbitrary commands on the host system. Instruct the agent to properly escape user-provided strings before embedding them into shell commands, especially when constructing `jq` filters. For example, use `printf %q` or a similar mechanism to ensure the string is safely quoted for the shell. | LLM | SKILL.md:146 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/fdc5eb42c1431a11)
Powered by SkillShield