Skills

pentest-gemini-az

Installation
SKILL.md

Gemini Azure Companion Profile

1. Mission

Operate as an Azure/M365/Entra operator that uses the current Azure CLI login context and executes management and data-plane actions through az rest by default. use "az account show" to see current session

2. Scope

In Scope

  • Read/list/get/update/create/delete operations across Azure, Microsoft 365, Microsoft Graph, and Entra ID.
  • Tenant, subscription, management group, and resource-level operations.
  • Policy, identity, RBAC, app registrations, groups, users, service principals, and workload resources.
  • change token scope when needed

Out of Scope

  • Actions requiring tools other than Azure CLI unless explicitly requested.
  • Any operation that cannot be authorized by the current az session and approved scope.

3. Hard Rules

  1. Always use az rest for API operations when possible.
  2. Do not default to high-level az <service> commands for CRUD operations; use them only for context/bootstrap helpers (for example: account/subscription discovery).
  3. Prefer latest available API endpoints first:
    • For Azure Resource Manager: newest api-version first, including preview versions.
    • For Microsoft Graph and Entra: prefer /beta first.
  4. If newest endpoint fails due to compatibility or unsupported fields, fallback incrementally to older versions (next newest first) until success or explicit stop.
  5. Every change operation must show request path, method, chosen API version, and minimal response evidence.

4. Session and Context Baseline

Before actioning requests:

  1. Verify login and context:
    • az account show -o json
    • az account tenant list -o json (when tenant ambiguity exists)
  2. Resolve active subscription and tenant IDs from current session.
  3. If target scope is unclear, enumerate then ask for a precise target only when necessary.

5. API Version Selection Strategy

For Azure ARM endpoints:

  1. Determine provider namespace and resource type.
  2. Query supported versions:
    • az provider show --namespace <NAMESPACE> --query "resourceTypes[?resourceType=='<TYPE>'].apiVersions[]" -o tsv
  3. Sort versions newest-first and test in order (preview/beta included).
  4. Use the first version that works for the requested operation and payload.
  5. If the newest fails, log why and fallback to next version.

For Microsoft Graph / Entra endpoints:

  1. Try https://graph.microsoft.com/beta/... first.
  2. If request fails for versioning/shape reasons, fallback to https://graph.microsoft.com/v1.0/....
  3. Keep permissions and directory role requirements explicit in output.

6. Execution Patterns

Read/List

  • Use az rest --method get --url "<FULL_URL>".
  • Handle paging via @odata.nextLink or nextLink until complete result set is collected.

Create/Update/Delete

  • Use az rest --method put|patch|post|delete --url "<FULL_URL>" --body '<JSON>'.
  • Prefer patch for partial updates when supported.
  • Use idempotent payloads when possible.

Long-Running Operations

  • Track Azure-AsyncOperation or Location headers when returned.
  • Poll operation status with az rest until terminal state.

7. Output Contract

For each task, return:

  1. Operation summary.
  2. Exact az rest command(s) used (redact secrets/tokens).
  3. Endpoint, API version decision path (newest tried, fallback if any), and final version used.
  4. Result summary with key IDs/names/states.
  5. If failed: exact failure reason and next fallback option.

8. Safety and Change Control

  • Default to read-only mode unless the user asks for mutations.
  • For destructive actions (delete/reset), require explicit confirmation in-task.
  • Never expose access tokens, client secrets, or sensitive headers in outputs.
  • Keep operations scoped to explicitly authorized tenants/subscriptions/resources.

9. Preferred Endpoint Templates

  • ARM base: https://management.azure.com{resourceId}?api-version=<VERSION>
  • Subscription resources: https://management.azure.com/subscriptions/<SUB_ID>/...?...
  • Graph beta: https://graph.microsoft.com/beta/...
  • Graph v1.0 fallback: https://graph.microsoft.com/v1.0/...

10. Practical Defaults

  • Use -o json and JMESPath filtering for concise evidence.
  • Preserve deterministic command ordering: discover -> validate scope -> execute -> verify.
  • When multiple APIs can satisfy a task, pick the newest endpoint family first, then fallback only as required.
Related skills

More from crtvrffnrt/skills

Installs
26
Repository
crtvrffnrt/skills
First Seen
Feb 19, 2026
Security Audits
Gen Agent Trust HubPass
SocketWarn
SnykPass