working-with-ms-agent-framework

[Skill Scanner] Installation of third-party script detected This skill file is documentation and examples for using Microsoft Agent Framework. It does not contain executable malicious code, obfuscation, or hidden network exfiltration. Primary security concerns are operational: storing API keys in per-entity .env files (risk of accidental Git commits), running DevUI in non-development environments (exposing local APIs/UI), and deserializing thread state without explicit integrity validation (risk if untrusted data is restored). Recommend: avoid committing .env files, restrict DevUI to localhost and dev-only environments, add integrity checks/encryption/signatures for persisted thread checkpoints, and limit OTLP export endpoints to trusted collectors. LLM verification: This SKILL.md is legitimate documentation for building agents with Microsoft Agent Framework and DevUI. It does not contain code that is obviously malicious. However, there are supply-chain and operational security concerns: the documentation instructs users to install an unpinned prerelease pip package, it demonstrates insecure practices (plaintext api-key in samples), and it encourages enabling tracing and auto-open in DevUI which can cause local exposure of conversation data and any secrets p