pentest-gemini-az
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- COMMAND_EXECUTION (HIGH): The core functionality of the skill is executing arbitrary Azure CLI commands, specifically
az rest. This allows the agent to perform any action the logged-in user is authorized for, including deleting resources or changing security configurations across Azure and M365. - CREDENTIALS_UNSAFE (HIGH): The skill manages identity-related resources such as 'app registrations', 'service principals', and 'RBAC'. This capability can be exploited to create persistent backdoors, generate new client secrets, or modify existing credentials within the tenant.
- DATA_EXFILTRATION (MEDIUM): The skill is designed to read and list sensitive directory and resource data (users, groups, policies). While no external network exfiltration path is hardcoded, the display of this sensitive information in the chat session constitutes a risk of data exposure.
- PRIVILEGE_ESCALATION (HIGH): The skill explicitly allows for changing 'token scope when needed'. An attacker could use this to escalate the agent's permissions beyond the initial session limits by requesting broader OAuth2 scopes for Microsoft Graph or Azure ARM.
- INDIRECT_PROMPT_INJECTION (LOW):
- Ingestion points: Data returned from Azure Resource Manager or Microsoft Graph API calls (e.g., resource tags, user profile fields, or application metadata).
- Boundary markers: Absent; the skill does not define delimiters to separate untrusted API data from its internal instruction logic.
- Capability inventory: Full CRUD operations via
az restand the ability to modify authorization scopes. - Sanitization: None; the skill assumes API responses are safe and does not sanitize content before processing.
Recommendations
- AI detected serious security threats
Audit Metadata