The Agent Skills Directory

[COMMAND_EXECUTION]: The skill implements a pattern that loads configuration using the shell 'source' command on the '.env.connectors' file. This file is populated with variables like Subscription IDs and Resource Group names that can be influenced by user input or external discovery. If malicious shell commands (e.g., subshell syntax) are injected into these fields, they will be executed with the agent's privileges when the file is sourced.
[COMMAND_EXECUTION]: Helper functions in 'references/office365-api.md' and 'references/teams-api.md' use shell string concatenation and interpolation to construct JSON payloads and 'az rest' commands. This creates a risk of command or JSON injection if the 'path' or 'body' parameters contain maliciously crafted strings derived from untrusted inputs.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection due to its interaction with untrusted external data.
Ingestion points: Untrusted data enters the agent context through email reading actions ('/v3/Mail') and Teams message retrieval ('/beta/teams/.../messages').
Boundary markers: The skill lacks explicit boundary markers or instructions to the agent to ignore embedded commands within the ingested content.
Capability inventory: The skill has broad capabilities including creating and deleting Azure resources, sending emails, posting messages, and modifying local configuration files ('.env.connectors').
Sanitization: No escaping or validation is performed on the ingested content before it is processed or used in further actions.
[DATA_EXFILTRATION]: The skill accesses and stores sensitive Azure Subscription IDs and Resource Group names in the '.env.connectors' file. While it attempts to add this file to '.gitignore', the information remains accessible to the agent and could be exposed if the agent is directed to forward this data via the provided email or Teams connectors.

azure-connectors