ClawHub

Railway Deploy

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Railway deployment skill, but it gives broad Railway CLI authority and includes administrative examples that can create, modify, or delete live Railway resources beyond routine deploys.

Install only if you want an agent to deploy to Railway from your current repository. Before each use, confirm the logged-in Railway account, project, service, environment, and working directory. Do not let this skill perform environment edits, service creation, Docker image changes, or deletions unless you explicitly requested that exact administrative action and understand the production impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The reference exposes broad environment-editing capabilities that exceed the deploy skill's stated scope, including deletion of services/volumes and modification of variables. In an agent setting, over-scoped documentation can enable the model to take destructive or privilege-expanding actions under a benign 'deploy' request, especially because the same CLI path can apply arbitrary config patches.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation instructs how to create new service instances even though the manifest says initial setup and service creation should use the separate new skill. This contradiction weakens safety boundaries between skills and may cause an agent to perform provisioning actions outside its intended authority.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file includes instructions to change Docker images despite the manifest stating Docker images belong to the environment skill. This inconsistent guidance can lead the deploy skill to alter runtime provenance or swap images unexpectedly, which is more dangerous than a routine code deploy.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill metadata includes very broad trigger phrases such as "deploy," "ship," and "push," which can match common user language outside a clearly scoped Railway deployment intent. In an agentic system, this increases the chance of unintended activation of a privileged deployment workflow that can push local code to a live service.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The "When to Use" section repeats ambiguous activation guidance like "deploy," "ship," and "push code" without clear guardrails about target platform, repository state, or user confirmation. Because this skill can invoke a deployment command, ambiguous routing language materially raises the risk of accidental production-affecting actions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples show destructive operations like deleting variables and services via direct CLI patches without any warning, approval step, or confirmation guidance. In an autonomous or semi-autonomous agent context, such examples normalize irreversible actions and increase the chance of accidental outages, data loss, or secret removal during routine deploy interactions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal