apm-usage

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and manifest docs explicitly instruct using apm install with dependencies like "owner/repo" and non-GitHub hosts (e.g., GitHub/GitLab URLs) so the agent will fetch and install arbitrary public repository skill packages (untrusted, user-generated content) that can contain instructions affecting agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill describes runtime fetching of external git repositories via apm (e.g., "apm install owner/repo" and "git: git@gitlab.com:org/repo.git"), and those fetched repos can contain SKILL.md instruction files (which become agent prompts) and optional executable scripts, so remote content directly controls prompts and may execute code.