agent-package-manager

Pass

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill provides troubleshooting instructions to download and install the APM CLI from https://aka.ms/apm-unix and https://aka.ms/apm-windows. These URLs are official Microsoft-owned short-links used for software delivery.
  • [REMOTE_CODE_EXECUTION]: In references/troubleshooting.md, the skill includes commands that pipe remote content directly to a shell for installation (curl -sSL ... | sh and irm ... | iex). While these originate from a trusted domain, they facilitate the execution of remote scripts on the local host.
  • [COMMAND_EXECUTION]: The skill's primary function involves running the apm command-line utility to manage project state. It also supports executing custom scripts defined in a repository's apm.yml manifest via the apm run command, which allows for arbitrary command execution within the project context.
  • [CREDENTIALS_UNSAFE]: The documentation references authentication mechanisms such as GITHUB_CLI_PAT, GITHUB_TOKEN, and KB_TOKEN. These are described as environment variables for users to configure their local environment for private repository access, rather than being hardcoded within the skill. No sensitive credentials or secrets were found in the provided files.
  • [PROMPT_INJECTION]: The skill is subject to potential indirect prompt injection as it ingests and processes data from external files to determine its logic.
  • Ingestion points: The agent reads configuration data from apm.yml, apm.lock.yaml, and other repository files during its assessment step.
  • Boundary markers: There are no explicit delimiters or system instructions provided to the agent to ignore or isolate instructions that might be embedded within these manifest files.
  • Capability inventory: The skill has the ability to execute shell commands via the apm CLI and perform network operations through standard dependency resolution.
  • Sanitization: No validation or sanitization of the contents within the apm.yml or apm.lock.yaml files is mentioned before the agent uses that data to drive tool execution.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 28, 2026, 12:46 AM
Security Audit — agent-trust-hub — agent-package-manager