app-platform-router
Warn
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill frequently references and clones external resources from a personal GitHub account to provide essential functionality. This includes the devcontainer reference repository (
https://github.com/bikramkgupta/do-app-devcontainer.git) and several diagnostic/sandbox Docker images hosted atghcr.io/bikramkgupta/*(e.g.,debug-python,sandbox-python). These dependencies are outside the official DigitalOcean or digitalocean-labs organizations.\n- [COMMAND_EXECUTION]: Multiple scripts within thepostgresandmigrationsub-skills (secure_setup.py,add_client.py,cleanup_client.py) usesubprocess.runto execute system commands. These scripts programmatically interact with CLI tools includingdoctl,gh,psql, andaws. While these are legitimate for infrastructure automation, they require careful verification of input parameters to prevent command injection.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) because it transforms natural language user requests into executable App Platform specifications and shell-based deployment instructions.\n - Ingestion points: User-provided application architectures and feature descriptions are ingested through
skills/designer/SKILL.mdandskills/migration/SKILL.md.\n - Boundary markers: The skill templates do not utilize explicit delimiters or instructions to ignore potential commands embedded within user-provided descriptions.\n
- Capability inventory: The skill possesses the capability to generate and execute (via the agent) highly sensitive commands for application lifecycle management, database user provisioning, and CI/CD workflow creation.\n
- Sanitization: There is no evidence of filtering or validation of natural language input before it is used to generate YAML configurations or shell arguments.
Audit Metadata