azure-mcp
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: Hardcoded passwords are provided in example commands, which may be executed literally by the agent.
- File: SKILL.md
- Evidence:
--admin-password "Password123!"is used in bothaz sql server createandaz postgres flexible-server createcommands. - [COMMAND_EXECUTION]: The skill includes instructions to create insecure network configurations that permit global access.
- File: SKILL.md
- Evidence:
az postgres flexible-server firewall-rule createconfigured with--start-ip-address 0.0.0.0 --end-ip-address 255.255.255.255, effectively disabling firewall protections for the database. - [COMMAND_EXECUTION]: Extensive capability to retrieve sensitive cleartext credentials and secrets from cloud resources.
- File: SKILL.md
- Evidence: Includes commands such as
az storage account show-connection-string,az keyvault secret show, andaz servicebus namespace authorization-rule keys listwhich expose authentication tokens and secrets directly to the agent's context. - [EXTERNAL_DOWNLOADS]: Fetches source code from external repositories for deployment tasks.
- File: SKILL.md
- Evidence:
az webapp deployment source configutilizes external URLs likehttps://github.com/org/repo. Note that github.com is a well-known service. - [PROMPT_INJECTION]: Potential for indirect prompt injection via ingestion of untrusted application logs and query results.
- Ingestion points:
az webapp log tailandaz monitor log-analytics queryinSKILL.mdallow external data into the agent's prompt. - Boundary markers: None present to distinguish between logs and system instructions.
- Capability inventory: Full resource management, including RBAC assignment and secret retrieval capabilities.
- Sanitization: No sanitization or filtering of log content is specified.
Recommendations
- AI detected serious security threats
Audit Metadata