Is dbanys/railway-deploy safe?

https://github.com/openclaw/skills/tree/main/skills/dbanys/railway-deploy

94
SAFE

dbanys/railway-deploy is a clean, well-scoped Railway CLI deployment helper with no prompt injection, malicious code, unauthorized file access, or covert network behavior. Its primary action — uploading the current directory to Railway's cloud — is the explicit, user-initiated purpose documented in SKILL.md, and the allowed-tools restriction is correctly narrowed to the railway CLI namespace. The canary file read events observed in monitoring are definitively attributed to the audit framework's own pre-install and post-scan verification routines based on timestamp analysis.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

LOW railway up transmits working directory contents to Railway cloud -12

The skill's core function uploads the current working directory to Railway's external cloud platform. This is the intended, user-requested behavior. However, if sensitive files (e.g., .env, secrets, private keys) exist in the deployment directory and are not excluded via .railwayignore, they will be transmitted to Railway's servers. The skill contains no instructions to warn users about this or exclude credential files.

INFO External URL reference in reference documentation -4

references/railpack.md contains a link to https://railpack.com/llms.txt as a passive documentation pointer. It does not instruct the agent to fetch this URL autonomously and poses no injection risk in normal operation. Noted for completeness.

INFO Canary file read events attributed to audit framework, not skill 0

Filesystem and auditd monitoring captured read-only access to all canary credential files at two timestamps. The first window (13:40:32, auditd events 254-259) precedes skill installation by 5+ seconds and aligns with audit framework sudo initialization. The second window (13:40:50, auditd events 1434-1439) follows the post-install file scan and aligns with framework cleanup verification. No CLOSE_WRITE events on canary files. No outbound data transfers correlated to canary content. Canary integrity confirmed clean.

INFO No executable code or install-time side effects present 0

Complete file inventory shows only documentation files: SKILL.md, _meta.json, and four Markdown reference files. No package.json with lifecycle scripts, no shell scripts, no compiled binaries, no git hooks, no submodules, and no symlinks were found. Installation process was a clean sparse-checkout copy with no side effects.