Trust Assessment
railway-status received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 2 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Excessive Bash Permissions for 'railway' command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Excessive Bash Permissions for 'railway' command The skill declares 'Bash(railway:*)' in its allowed-tools, granting permission to execute any command under the 'railway' CLI. While the skill's stated purpose is to check status using 'railway status', this broad permission allows the LLM to potentially execute other, more destructive or sensitive 'railway' commands (e.g., 'railway delete', 'railway env set', 'railway deploy') if prompted by a malicious user or misinterpretation. This creates a significant attack surface beyond the skill's intended functionality. Restrict the 'railway' Bash permission to only the necessary subcommands, such as 'Bash(railway:status)', 'Bash(railway:whoami)', and 'Bash(railway:link)'. If other subcommands are truly needed, list them explicitly rather than using a wildcard. | LLM | Manifest:1 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned Dependency in Manifest The 'railway-cli' dependency is listed without a specific version or hash. This 'unpinned' dependency can lead to supply chain risks, as future installations might pull a vulnerable or malicious version if the package repository is compromised or if a typosquatting attack occurs. While the SKILL.md suggests manual installation via npm or brew, the 'dependencies' field in the manifest typically implies automated resolution. Pin the 'railway-cli' dependency to a specific version or use a content hash to ensure deterministic and secure installations. For example, 'railway-cli@1.2.3' or specify a checksum if the ecosystem supports it. | LLM | Manifest:1 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| LOW | Potential for Sensitive Data Exposure from Command Output The skill executes 'railway status --json', which can output detailed and potentially sensitive information about the project, services, and deployments (e.g., internal URLs, build logs, service names). While the skill provides instructions to parse and present a summarized version, there's an inherent risk that the raw JSON output, if not perfectly filtered by the LLM, could expose more sensitive data than intended to the user or through logs. The LLM's summarization capabilities are critical here. Reinforce instructions for the LLM to strictly adhere to the specified output format and to avoid exposing any details beyond what is explicitly requested (Project name, workspace, Environment, Services, Active Deployments, Domains). Consider adding explicit negative constraints like 'Do NOT output raw JSON' or 'Do NOT include internal URLs unless specifically requested and approved'. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/64db2d5825f7cc7a)
Powered by SkillShield