richfrem/install-apm-package
plugins/agent-scaffolders/skills/install-apm-package/SKILL.md
Activate when the user wants to install, deploy, test, or materialize an APM package into runtime directories such as .agents/, .github/, .claude/, .cursor/, .gemini/, .codex/, .opencode/, or .windsurf/. Use after creating or converting an APM package.
$ install --global
skillsauthnpx skillsauth add richfrem/agent-plugins-skills install-apm-packageInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 18, 2026, 5:18 AM126.2s3 files scanned
SKILL.md
- name:
- install-apm-package
- description:
- >-
- allowed-tools:
- Bash, Read, Glob
install-apm-package Skill 🚀
Overview
This skill manages the safe deployment of APM primitives into their respective runtime environments. It enforces validation and target discovery to ensure byte-identical reproducibility across environments.
🚫 Non-Negotiables
- Source Integrity — Never edit files in
.agents/,.github/, or.claude/directly. Always edit the source in.apm/and re-install. - Lockfile Persistence —
apm.lock.yamlMUST be committed after any install change. - Validation First — Always run
validate_apm_package.pybefore executing the install. - Project Root Discipline — Run
apm installfrom the project root to ensure converged skills land in the authoritative.agents/folder. Running inside a package directory creates local, isolated artifacts.
Decision Tree
- Global Activation? -> Run
apm install ./path-to-packagefrom the project root. - Isolated Testing? -> Run
apm installfrom within the package directory. - Target Inferred? -> (e.g.,
.claude/exists) -> Runapm install. - Ambiguous Target? -> (No signals) ->
apm installwill exit with code 2; ask user for explicit--target(e.g.,agent-skills,claude,all). - Converged Skills? -> (Standard) -> Deploys to
.agents/skills/. Use--target agent-skillsfor explicit skill deployment. - Legacy Skills? -> (Per-client paths) -> Use
--legacy-skill-pathsflag. - Production/CI? -> Use
--frozenflag to ensure lockfile compliance.
Workflow
- Verify
apm.ymlexistence (locally or at root). - Execute
python scripts/validate_apm_package.py. - Select Execution Context:
- For project-wide use:
cd <repo-root> - For local test:
cd <package-dir>
- For project-wide use:
- Preview with
apm install [--target <slug>] --dry-run --verbose. - Run
apm install [./relative-path-to-pkg] [--target <slug>] [--legacy-skill-paths].- Use
--target all,agent-skillsto deploy to all harnesses AND converged skills.
- Use
- Verify
apm.lock.yamlupdate at the execution root.
Duplicate Visibility Guardrail
Before recommending all,agent-skills, check whether the user is doing:
- a routing smoke test, or
- an actual day-to-day runtime install.
For smoke tests, all,agent-skills is appropriate. For real use, prefer the smallest target list that matches the runtime. Installing both converged and target-specific skills may cause duplicate skill visibility in runtimes that scan multiple skill locations.
Anti-Patterns
- Manual Materialization: Moving files into
.github/agents/by hand instead of usingapm install. - Ignoring the Lockfile: Failing to commit
apm.lock.yamlafter adding a dependency. - Editing Artifacts: Modifying the generated runtime output instead of the
.apm/source.
Related Skills
richfrem/vector-db-ingest
tools
VerifiedTrustedCommunity
Ingests repository files into the ChromaDB vector store. Builds or updates the vector index from a manifest or directory scan using ingest.py. Use when new files need to be indexed or the vector store is out of date. <example> user: "Index these new plugin files into the vector database" assistant: "I'll use vector-db-ingest to add them to the vector store." </example> <example> user: "The vector store is missing recent files -- update it" assistant: "I'll use vector-db-ingest to re-index the changes." </example>
3SKILL.mdUpdated Jun 2, 2026
richfrem/vector-db-cleanup
data-ai
VerifiedTrustedCommunity
Removes stale and orphaned chunks from the ChromaDB vector store for files that have been deleted or renamed. Use after files are removed or moved to keep the vector index in sync with the filesystem. <example> user: "Clean up the vector store after I deleted some files" assistant: "I'll use vector-db-cleanup to remove orphaned chunks." </example> <example> user: "The vector database has chunks for files that no longer exist" assistant: "I'll run vector-db-cleanup to prune them." </example>
3SKILL.mdUpdated Jun 2, 2026
richfrem/vector-db-audit
testing
VerifiedTrustedCommunity
Audit Vector DB coverage -- compares the live filesystem manifest against the ChromaDB index to identify coverage gaps.
3SKILL.mdUpdated Jun 2, 2026
richfrem/rlm-search
development
VerifiedTrustedCommunity
3-Phase Knowledge Search strategy for the RLM Factory ecosystem. Auto-invoked when tasks involve finding code, documentation, or architecture context in the repository. Enforces the optimal search order: RLM Summary Scan (O(1)) -> Vector DB Semantic Search -> Grep/Exact Match. Never skip phases.
3SKILL.mdUpdated Jun 2, 2026