agent-package-manager
Pass
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides troubleshooting instructions to download and install the APM CLI from
https://aka.ms/apm-unixandhttps://aka.ms/apm-windows. These URLs are official Microsoft-owned short-links used for software delivery. - [REMOTE_CODE_EXECUTION]: In
references/troubleshooting.md, the skill includes commands that pipe remote content directly to a shell for installation (curl -sSL ... | shandirm ... | iex). While these originate from a trusted domain, they facilitate the execution of remote scripts on the local host. - [COMMAND_EXECUTION]: The skill's primary function involves running the
apmcommand-line utility to manage project state. It also supports executing custom scripts defined in a repository'sapm.ymlmanifest via theapm runcommand, which allows for arbitrary command execution within the project context. - [CREDENTIALS_UNSAFE]: The documentation references authentication mechanisms such as
GITHUB_CLI_PAT,GITHUB_TOKEN, andKB_TOKEN. These are described as environment variables for users to configure their local environment for private repository access, rather than being hardcoded within the skill. No sensitive credentials or secrets were found in the provided files. - [PROMPT_INJECTION]: The skill is subject to potential indirect prompt injection as it ingests and processes data from external files to determine its logic.
- Ingestion points: The agent reads configuration data from
apm.yml,apm.lock.yaml, and other repository files during its assessment step. - Boundary markers: There are no explicit delimiters or system instructions provided to the agent to ignore or isolate instructions that might be embedded within these manifest files.
- Capability inventory: The skill has the ability to execute shell commands via the
apmCLI and perform network operations through standard dependency resolution. - Sanitization: No validation or sanitization of the contents within the
apm.ymlorapm.lock.yamlfiles is mentioned before the agent uses that data to drive tool execution.
Audit Metadata