Trust Assessment
railway received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via `railway run`, Excessive Permissions: Direct SSH Access to Services, Supply Chain Risk: Unpinned Dependency in CI/CD Workflow Example.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `railway run` The skill exposes the `railway run <command>` functionality, which executes arbitrary shell commands within the Railway project's environment. If the `<command>` argument is constructed from untrusted user input without proper sanitization, it could lead to command injection, allowing an attacker to execute arbitrary code on the Railway service. Implement strict input validation and sanitization for any arguments passed to `railway run`. Consider using an allowlist of commands or arguments if possible, or ensure user input is never directly interpolated into the `<command>` argument. | LLM | SKILL.md:100 | |
| HIGH | Excessive Permissions: Direct SSH Access to Services The skill provides direct access to `railway ssh`, allowing the agent to establish an SSH connection to running services. This grants arbitrary command execution capabilities within the service's environment, bypassing typical application-level controls. While intended functionality of the CLI, exposing this directly to an LLM agent significantly increases the attack surface if the agent can be prompted to misuse it. Carefully consider whether direct SSH access is necessary for the LLM agent's intended functions. If so, implement strict guardrails and user confirmation for any `ssh` operations. Monitor usage for anomalous activity. | LLM | SKILL.md:108 | |
| MEDIUM | Supply Chain Risk: Unpinned Dependency in CI/CD Workflow Example The provided CI/CD integration example uses `npm i -g @railway/cli` without specifying a version. This means that every time the workflow runs, it will fetch the latest version of the `@railway/cli` package. If a malicious update is published to the npm registry, it could be automatically pulled and executed in the CI/CD pipeline, leading to a supply chain attack. Pin the dependency to a specific version (e.g., `npm i -g @railway/cli@x.y.z`) or a major version (e.g., `npm i -g @railway/cli@^x.0.0`) to mitigate the risk of unexpected or malicious updates. Regularly review and update pinned versions. | LLM | SKILL.md:170 |
Scan History
Embed Code
[](https://skillshield.io/report/5d1010a9675877ae)
Powered by SkillShield