HN Showcase
Back to browse
GitHub Repository

Agent Package Manager

2,728 starsPython

A tool to solve the Agent Supply Chain pandora box

by dmppch·Mar 31, 2026·1 point·0 comments
Visit ProjectView on HN

AI Analysis

●●●BangerBig BrainZero to OneSlick

npm for AI agent configs with transitive deps and unicode attack scanning.

Strengths
  • Transitive dependency resolution for agent skills, prompts, plugins, and MCP servers
  • Security auditing blocks hidden unicode attacks before agents read compromised packages
  • Cross-runtime deployment works with Copilot, Cursor, Claude Code, and Codex simultaneously
Weaknesses
  • AI agent ecosystem still evolving — may solve a problem most teams don't have yet
  • Microsoft backing could raise vendor lock-in concerns for some enterprise adopters
Target Audience

Engineering teams using AI coding agents like Copilot, Cursor, or Claude Code

Similar To

npm · MCP Registry · Cursor shared settings

Post Description

An OSS tool I built to manage agent configuration (plugins, skills, et al) as we do code dependencies. With a portable manifest, lockfile, and audits.

APM ships as a CLI. Install it first e.g. with brew or pip and then:

"apm install <org>/<repo>" or "apm install plugin@marketplace"

That will resolve the dependency (through Artifactory if configured too) and pin the sha or version to the lockfile after scanning for hidden unicode. It then deploys to any agent runtime you may be using (e.g. Copilot, Codex, Cursor, Claude).

I built this over a year working with large scale enterprises clamoring for it.

Similar Projects

Security●●Solid

Open-source white-box agentic red teamer for AI agents

White-box agent red teaming finds 5x more vulns than black-box prompt injection.

Dark HorseSolve My Problem
ashish-a
102mo ago