apm-usage

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill docs explicitly describe fetching and installing packages and files from arbitrary public repos/URLs (see dependencies.md and workflow.md: apm install with GitHub/GitLab/HTTPS/SSH URLs) and compiling/deploying .apm prompts/agents (apm compile / deployed primitives) and even loading remote policy files (apm audit --ci --policy https://... in governance.md), so untrusted user-generated content is ingested and can materially change agent prompts/behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs runtime fetches that can directly control agent prompts or execute code — e.g., apm install will pull Git repositories like https://github.com/microsoft/apm-sample-package.git (or shorthand owner/repo entries) which may contain .prompt.md/.instructions.md that are deployed into the agent context, and the installer curl command https://aka.ms/apm-unix is shown being piped to sh (executes remote code).