adf-ml-analytics
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill defines patterns for ingesting and processing untrusted data from external sources (e.g., feedback text, database records) for analysis by AI services or LLMs, which constitutes an indirect prompt injection surface.\n
- Ingestion points:
LookupFeedbackactivity,GetRecordBatchesactivity, and various SQL lookup activities inSKILL.md.\n - Boundary markers: The templates do not include explicit delimiters or instructions to ignore embedded commands in the processed data.\n
- Capability inventory: The skill can perform network requests via
WebActivity, write data viaCopyactivities, and execute logic viaDatabricksJobandSqlServerStoredProcedure.\n - Sanitization: No sanitization or validation logic is present in the orchestration templates for the external text data.\n- [COMMAND_EXECUTION]: The skill includes patterns for executing arbitrary Python or R scripts and deserializing data within the database engine, representing high-privilege operations within the SQL context.\n
- Evidence: Implementation of the
dbo.usp_PythonMLScoringprocedure inSKILL.mduses thesp_execute_external_scriptfeature with the@language = N'Python'parameter.\n - Evidence: The embedded Python script utilizes
pickle.loads()to deserialize model data retrieved from thedbo.MLModelstable, which is a potential vector for unsafe deserialization if the database content is compromised.
Audit Metadata