Skills
skills/digitalocean-labs/do-app-platform-skills/app-platform-router/Gen Agent Trust Hub

app-platform-router

Warn

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill depends on multiple resources hosted under the personal GitHub/GHCR account bikramkgupta, which is not on the trusted vendors list. These include:
  • Container images for debugging and sandboxing: ghcr.io/bikramkgupta/debug-python, ghcr.io/bikramkgupta/debug-node, ghcr.io/bikramkgupta/sandbox-python, and ghcr.io/bikramkgupta/sandbox-node.
  • Devcontainer templates and configurations cloned via git clone https://github.com/bikramkgupta/do-app-devcontainer.git.
  • The do-app-sandbox Python package, which is central to the troubleshooting and sandbox workflows.
  • [COMMAND_EXECUTION]: The skill uses the do-app-sandbox SDK to provide programmatic shell access to running containers (Sandbox.get_from_id) and to create ephemeral execution environments (Sandbox.create). This capability is used to execute arbitrary shell commands for diagnostics, code interpretation, and infrastructure validation across multiple scripts (e.g., live-troubleshooting.md, debug-container.md).
  • [DATA_EXFILTRATION]: The post-create.sh script and SKILL.md documentation for devcontainers and troubleshooting reference and modify permissions for sensitive local directories including ~/.aws/credentials, ~/.ssh, ~/.claude, and ~/.codex. Accessing these paths creates a potential path for credential exposure if an agent is misdirected.
  • [PROMPT_INJECTION]: The migration skill involves an automated discovery phase where it clones and parses untrusted third-party repositories (e.g., Procfile, app.json, heroku.yml, render.yaml).
  • Ingestion points: detect_platform.py and analyze_architecture.py read and parse configuration files and source code from user-provided repository URLs.
  • Boundary markers: No explicit instructions to ignore embedded instructions in the processed files were found in the parsing logic.
  • Capability inventory: The skill possesses extensive capabilities including file system write access, network operations via curl/psql/gh, and arbitrary command execution via do-app-sandbox.
  • Sanitization: While create_schema_user.py uses psycopg2.sql.Identifier for safe SQL composition, the initial architectural analysis depends on interpreting potentially malicious instructions embedded in configuration files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 27, 2026, 12:42 PM