app-platform-router

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The router and sub-skill docs explicitly require reading user-specified Git/GitHub repositories and app artifacts (e.g., “Parses Procfile, app.json, heroku.yml” in SKILL.md and the App Spec source configuration allowing git/github clone URLs in shared/AppSpec-Reference.md), so the agent will fetch and interpret untrusted third‑party (public/user-generated) content that can materially influence workflow decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs installing/using the do-app-sandbox package (pip install do-app-sandbox) and deploying/connecting to the debug container image ghcr.io/bikramkgupta/do-app-debug-container-python at runtime, and those external artifacts are fetched/used to execute arbitrary commands via Sandbox.exec, so they directly enable remote code execution.