devcontainers
Warn
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to clone a repository from an external, personal GitHub account (
https://github.com/bikramkgupta/do-app-devcontainer.git) to obtain devcontainer templates and scripts. - [REMOTE_CODE_EXECUTION]: Scripts downloaded from the external repository, such as
init.sh,post-create.sh, and various test scripts in thetests/directory, are executed on the host or inside containers during the provisioning and verification workflows. - [COMMAND_EXECUTION]: The skill provides instructions for executing shell commands with elevated privileges (e.g.,
sudo chown -R vscode:vscode /home/vscode) and running arbitrary scripts inside containers viadocker exec. - [CREDENTIALS_UNSAFE]: Multiple connection strings and configuration templates contain hardcoded default passwords for database services (e.g.,
postgresql://postgres:password@postgres:5432/app,mysql://mysql:mysql@mysql:3306/app,rustfsadmin:rustfsadmin). While common for development, these represent a security best-practice violation. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface in Workflow 2, where it reads and processes untrusted data from
.do/app.yamlto automate local container profile mapping. - Ingestion points: Reads
.do/app.yamlto detect production service configurations (Workflow 2, SKILL.md). - Boundary markers: Absent; the agent is instructed to map engines directly to local profiles without sanitization or boundary delimiters.
- Capability inventory: The agent has capabilities to perform
git clone,docker compose up,docker exec, andnpm installbased on the processed configuration. - Sanitization: No validation or sanitization of the values found in
.do/app.yamlis performed before they are used to determine tool execution parameters.
Audit Metadata