agent-package-manager
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the APM CLI from official Microsoft distribution links (https://aka.ms/apm-unix and https://aka.ms/apm-windows). These are well-known and documented distribution endpoints.
- [REMOTE_CODE_EXECUTION]: Provides instructions for piping remote scripts directly into a shell or interpreter (e.g.,
curl | sh,irm | iex) for initial tool setup. These scripts are sourced from trusted infrastructure. - [COMMAND_EXECUTION]: The skill instructs the agent to execute various CLI commands such as
apm install,apm run, andapm compile. These operations involve resolving external dependencies and running scripts specified in the project's manifest. - [PROMPT_INJECTION]: Indirect prompt injection attack surface identified (Category 8).
- Ingestion points: The skill ingests untrusted configuration data from
apm.ymlandapm.lock.yamlfiles located in the repository root (SKILL.md, Step 1). - Boundary markers: No explicit delimiters or instructions are provided to the agent to distinguish between the manifest data and the agent's instructions.
- Capability inventory: The agent has the capability to execute shell scripts defined in the manifest (
apm run) and download code from remote sources (apm install). - Sanitization: The skill does not define validation or sanitization procedures for the manifest content before it influences agent behavior.
Audit Metadata