ap2-credentials-provider

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is designed to ingest data from external specifications and web search results, creating a surface for indirect prompt injection where malicious instructions could be embedded in the documentation. \n
  • Ingestion points: Documentation URLs and GitHub search results are processed by the agent to guide implementation (SKILL.md). \n
  • Boundary markers: There are no instructions to delimit or treat the external content as untrusted. \n
  • Capability inventory: The agent is granted high-privilege capabilities including Bash, Write, and Edit tools (SKILL.md). \n
  • Sanitization: The instructions do not specify any sanitization or validation of the fetched technical specifications. \n- [EXTERNAL_DOWNLOADS]: The skill performs network operations to fetch specifications from a domain not listed as a trusted source. \n
  • Source: https://ap2-protocol.org/specification/ (SKILL.md). \n
  • Context: The fetch operation is used to retrieve the live definition of the Credentials Provider API and responsibilities.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 07:32 AM
Security Audit — agent-trust-hub — ap2-credentials-provider