azure-infra-engineer
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-privilege write capability (Azure resource deployment) and ingests untrusted configuration data provided by the agent. This creates a significant attack surface for Indirect Prompt Injection.
- Ingestion points: BicepDeploymentConfig, VNetConfig, and AlertRuleConfig parameters in scripts/configure_bicep_template.ts, scripts/deploy_azure_resources.ts, and scripts/setup_monitoring.ts.
- Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands within the configuration data.
- Capability inventory: Full resource deployment capabilities in Azure (VMs, Networking, Monitoring) and local file read access.
- Sanitization: Absent. Input parameters are not validated against path traversal or malicious content beyond basic schema checks.
- Data Exposure & Exfiltration (HIGH): The templatePath parameter in scripts/configure_bicep_template.ts allows the skill to read any file from the local filesystem. While JSON.parse provides some protection against reading non-JSON files, sensitive JSON configuration files could be read and transmitted to the Azure Management API during a deployment or validation operation.
Recommendations
- AI detected serious security threats
Audit Metadata