It is also rather bad in other ways.
The auto updater and package installers pretty much require extensive write access be available to the web user account. This will make hacked Abantecart sites very useful to bad guys.
The automatic updater has no reliable way to know if a cart has already been modified -- and I'm seeing a whole lot of cases where the recommended modification approach is to change the original code. Sometimes its as simple as inserting a hook somewhere, but it still going to be blown away by an automatic update.
Easy auto update = easy crash and burn.
Once installed, the only folders which allow writing should be those used for backups, media storage and temporary files. Those folders should have an htaccess file which prevents execution of PHP code anywhere within them as well as indexing of the folder. This approach stops many successful penetrations cold. The cracker can place as many files as they want, they just can't benefit from them.
I do quite a bit of cleanup work on sites hosted on other servers, including some of the best known names in the business. I can generally trace most of the damage to this type of failure to layer the security.
Another thing that is lost with this approach is internal experience with actually USING your own software. Nothing says "This cart WORKS" like buying your updates from an installation of the same cart.....
Oh - package installation key ?? I don't see any mention of that anywhere...
David