The Agent Skills Directory

The skill azure-ai-contentunderstanding-py and its associated acceptance-criteria.md have been analyzed for security vulnerabilities. No critical or high-severity threats were detected.

1. Prompt Injection: No patterns indicative of prompt injection were found in either file. The instructions are clear and focused on SDK usage.

2. Data Exfiltration: The skill uses os.environ["CONTENTUNDERSTANDING_ENDPOINT"] and DefaultAzureCredential() for authentication, which are secure methods that rely on environment variables or managed identities rather than hardcoded credentials. The acceptance-criteria.md explicitly lists hardcoded credentials as an anti-pattern, reinforcing good security practices. The skill's purpose involves making network requests to Azure services, which is its intended and legitimate function. No attempts to exfiltrate sensitive local data to untrusted external domains were found.

3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in either file.

4. Unverifiable Dependencies: The SKILL.md file includes the instruction pip install azure-ai-contentunderstanding. This package is part of the Azure/azure-sdk-for-python repository, which is maintained by Microsoft (microsoft is a trusted GitHub organization). Therefore, this dependency is from a trusted source. This finding is noted as LOW/INFO severity, as per the trusted source exception, and does not elevate the overall verdict.

5. Privilege Escalation: No commands such as sudo, chmod, or other privilege escalation attempts were found.

6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, creating cron jobs) were detected.

7. Metadata Poisoning: The skill's metadata (name, description) and the content of both markdown files are benign and do not contain hidden malicious instructions.

8. Indirect Prompt Injection: The skill is designed to process external content (documents, images, audio, video) from user-provided URLs. This means that if the content at these URLs contains malicious instructions, it could potentially lead to indirect prompt injection. This is an inherent risk for any skill that processes external, untrusted data, and is noted as an informational warning rather than a direct vulnerability in the skill's code.

9. Time-Delayed / Conditional Attacks: No conditional logic that would trigger malicious behavior based on time, usage, or environment was found.

Conclusion: The skill is well-structured, uses secure practices for credential handling, and relies on a trusted external dependency. The identified EXTERNAL_DOWNLOADS is from a trusted source and therefore poses minimal risk. The potential for INDIRECT_PROMPT_INJECTION is a general risk associated with the service's functionality rather than a flaw in the skill's instructions. Overall, the skill is considered SAFE.