microsoft/auth
.github/skills/auth/SKILL.md
Activate when code touches token management, credential resolution, git auth flows, GITHUB_APM_PAT, ADO_APM_PAT, AuthResolver, HostInfo, AuthContext, or any remote host authentication — even if 'auth' isn't mentioned explicitly.
$ install --global
skillsauthnpx skillsauth add microsoft/apm authInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 11:36 AM24.6s1 file scanned
SKILL.md
- name:
- auth
- description:
- >
Auth Skill
Auth expert persona
When to activate
- Any change to
src/apm_cli/core/auth.pyorsrc/apm_cli/core/token_manager.py - Code that reads
GITHUB_APM_PAT,GITHUB_TOKEN,GH_TOKEN,ADO_APM_PAT - Code using
git ls-remote,git clone, or GitHub/ADO API calls - Error messages mentioning tokens, authentication, or credentials
- Changes to
github_downloader.pyauth paths - Per-host or per-org token resolution logic
Key rule
All auth flows MUST go through AuthResolver. No direct os.getenv() for token variables in application code.
Related Skills
microsoft/shepherd-driver
testing
VerifiedTrustedCommunity
Use only as the composed drive-to-merge stage of an APM batch orchestrator (batch-bug-shepherd, apm-issue-autopilot) that has already selected ONE open pull request in microsoft/apm. Do NOT use for user-facing requests to triage issues, sweep a queue, or open PRs -- the parent orchestrator owns those. Spawn one shepherd-driver subagent per PR: it classifies copilot-pull-request-reviewer[bot] inline review, runs the apm-review-panel, folds (by default) every recommendation inside the PR's stated scope, pushes to the head branch or a superseding PR that preserves authorship via commit trailers, watches CI to green, and iterates under fixed caps until ready-to-merge, advisory-with-deferred, superseded, or blocked. Also provides the cross-PR conflict-resolution and mergeability-gate phase. This is NOT a standalone entrypoint.
2,734SKILL.mdUpdated Jun 3, 2026
microsoft/pr-description-skill
testing
VerifiedTrustedCommunity
Use this skill to write the PR description (PR body) for any pull request opened against microsoft/apm. Produces one self-sufficient GitHub-Flavored Markdown artifact: TL;DR, Problem (WHY), Approach (WHAT), Implementation (HOW), 1-3 validated mermaid diagrams, explicit trade-offs, validation evidence, and a How-to-test section -- with every WHY-claim backed by a verbatim quote from PROSE or Agent Skills. Activate when the user asks to "write a PR description", "draft a PR body", "open a PR", "fill in the PR template", or any equivalent.
2,734SKILL.mdUpdated Jun 3, 2026
microsoft/apm-triage-panel
testing
VerifiedTrustedCommunity
Use this skill to triage a single newly opened, reopened, or `status/needs-triage`-labelled issue in microsoft/apm. Emit one synthesized comment with a triage decision, label set, milestone, and suggested next action.
2,734SKILL.mdUpdated Jun 3, 2026
microsoft/apm-review-panel
tools
VerifiedTrustedCommunity
Use this skill to run a multi-persona expert advisory review on a labelled pull request in microsoft/apm. The panel fans out to five mandatory specialists plus a test-coverage specialist (active on every PR that touches src/) plus three conditional specialists (auth, doc-writer, performance-expert), all running in their own agent threads, and a CEO synthesizer. The orchestrator is the sole writer to the PR: ONE recommendation comment, no verdict labels, no merge gating. The panel is advisory -- it surfaces findings, prioritizes follow-ups, and renders a ship-recommendation that the maintainer and author weigh. Activate when a non-trivial PR needs a cross-cutting recommendation (architecture, CLI logging, DevX UX, supply-chain security, growth/positioning, optionally auth, docs, perf, and test coverage, with CEO arbitration).
2,451SKILL.mdUpdated May 22, 2026