azure-devops
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill instructs downloading an agent from 'vstsagentpackage.azureedge.net'. While an official Microsoft domain, it is not on the predefined Trusted External Sources list. Finding: 'curl -o vsts-agent.tar.gz ... && ./config.sh'.\n- Privilege Escalation (HIGH): Agent installation requires 'sudo' to configure system services, which grants elevated permissions to the installation scripts (svc.sh).\n- Persistence Mechanisms (HIGH): The skill establishes persistence by installing the agent as a system service via './svc.sh install'.\n- Indirect Prompt Injection (HIGH): YAML templates interpolate variables like '$(env)' and '$(Build.SourceBranch)' into shell scripts without sanitization. If these are controlled by external inputs (e.g., branch names or runtime parameters), it allows arbitrary command execution. Ingestion points: 'parameters', 'variables', 'Build.SourceBranch'; Boundary markers: None; Capability inventory: Shell script execution via 'script:' tasks; Sanitization: None provided in templates.
Recommendations
- AI detected serious security threats
Audit Metadata