agents-v2-py

The skill SKILL.md and its accompanying references/acceptance-criteria.md are primarily instructional and descriptive. They guide the user on how to set up and configure Azure AI hosted agents using the Azure AI Projects SDK.

Threat Category Assessment:

1. Prompt Injection: No patterns indicative of prompt injection were found in either file. The content is instructional and does not attempt to manipulate the AI's behavior or bypass safety guidelines.
2. Data Exfiltration: No commands or patterns were detected that would lead to data exfiltration. There is no access to sensitive file paths (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) combined with network operations to untrusted domains.
3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were found in the skill files.
4. Unverifiable Dependencies (LOW): The SKILL.md file instructs the user to install Python packages: pip install azure-ai-projects>=2.0.0b3 azure-identity (SKILL.md, line 13). These packages are hosted on PyPI and are part of the Azure SDKs, maintained by Microsoft/Azure, which are recognized as trusted organizations. While any external dependency carries some inherent risk, this is significantly mitigated by the trusted source. This finding is downgraded to LOW severity due to the trusted source.
5. Privilege Escalation: No commands like sudo, chmod +x, chmod 777, or other privilege escalation attempts were found.
6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, crontab, authorized_keys) were detected.
7. Metadata Poisoning: The metadata fields (name, description) in SKILL.md are benign and accurately reflect the skill's purpose.
8. Indirect Prompt Injection: The skill itself does not process external, untrusted content. It provides instructions for building an agent, which could process untrusted content, but this is a risk associated with the agent the user builds, not the skill's instructions directly.
9. Time-Delayed / Conditional Attacks: No conditional logic based on time, usage, or environment variables designed to trigger malicious behavior was found.

Additional Observations:

• The skill explicitly promotes good security practices by stating: "Best Practice: Never hardcode secrets. Use environment variables or Azure Key Vault." (SKILL.md, line 136) and the references/acceptance-criteria.md also warns against "Hardcoded credentials" (references/acceptance-criteria.md, line 78).
• The references/acceptance-criteria.md file refers to https://github.com/Azure/azure-sdk-for-python (references/acceptance-criteria.md, line 5), which is a trusted GitHub organization. This is noted as an informational finding.

Conclusion: The primary concern identified is the instruction to install external Python packages. However, since these packages are from trusted sources (Microsoft/Azure via PyPI), the risk is significantly reduced. No other malicious patterns or critical vulnerabilities were found. The skill is instructional and promotes good security practices.