azure-mgmt-botservice-py
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted metadata from cloud resources, presenting an indirect prompt injection surface.
- Ingestion points: Data such as bot display names, descriptions, and site names are ingested from Azure in
SKILL.mdviaclient.bots.list()andclient.bots.get(). - Boundary markers: The code examples do not define specific boundaries or include instructions for the agent to ignore potentially malicious content within these fields.
- Capability inventory: The skill possesses extensive capabilities, including creating, updating, and deleting bots and channel configurations.
- Sanitization: No sanitization logic is present to filter or escape the retrieved metadata before it is presented to the agent.
- [DATA_EXFILTRATION]: Example code in
SKILL.mdprints sensitive authentication keys directly to the standard output. - The 'List Channel Keys' example uses
print(f"Key: {site.key}"), which exposes secret credentials. While this is part of the management functionality, printing secrets can lead to unintended exposure in shared environments or logs.
Audit Metadata