ap2-setup

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves content from external URLs (ap2-protocol.org and github.com) to guide project setup actions.
  • Ingestion points: SKILL.md (Fetch and WebSearch instructions).
  • Boundary markers: None; the skill does not include instructions to ignore commands potentially embedded in external documentation.
  • Capability inventory: Bash (for SDK installation) and Write/Edit (for project scaffolding).
  • Sanitization: No explicit validation or filtering is performed on the data fetched from remote sources before it is used to influence agent decisions.
  • [EXTERNAL_DOWNLOADS]: The skill installs the AP2 SDK from a GitHub repository (google-agentic-commerce/AP2). This is a well-known source related to the skill's stated purpose of implementing Google-based agentic commerce protocols.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 07:32 AM
Security Audit — agent-trust-hub — ap2-setup