apm-usage

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's SKILL.md explicitly instructs using apm to install dependencies from public repos and arbitrary hosts (e.g., "apm install owner/repo", "gitlab.com/org/repo", and git URLs in the apm.yml manifest), which means the agent will fetch and ingest untrusted, user-published skill content from third-party websites/repos that could contain instructions influencing agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The apm install examples fetch remote Git repositories at runtime (e.g., owner/repo, git@gitlab.com:org/repo.git, gitlab.com/org/repo or https://github.com/owner/repo.git), and those repos can contain SKILL.md instructions or executable scripts that directly control agent prompts or run code, so these repository URLs are a runtime dependency that can control the agent.