ap2-setup
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves content from external URLs (ap2-protocol.org and github.com) to guide project setup actions.
- Ingestion points: SKILL.md (Fetch and WebSearch instructions).
- Boundary markers: None; the skill does not include instructions to ignore commands potentially embedded in external documentation.
- Capability inventory: Bash (for SDK installation) and Write/Edit (for project scaffolding).
- Sanitization: No explicit validation or filtering is performed on the data fetched from remote sources before it is used to influence agent decisions.
- [EXTERNAL_DOWNLOADS]: The skill installs the AP2 SDK from a GitHub repository (google-agentic-commerce/AP2). This is a well-known source related to the skill's stated purpose of implementing Google-based agentic commerce protocols.
Audit Metadata