azure-ai-projects-py

The skill consists primarily of extensive Markdown documentation files and one Python script (scripts/run_batch_evaluation.py).

1. Prompt Injection: No direct prompt injection patterns were found in the skill's instructions or code. The skill's purpose is to build AI applications, which inherently involves prompt engineering, but the skill itself does not attempt to manipulate the AI agent. The run_batch_evaluation.py script processes user-provided JSONL data for evaluation, which could contain malicious prompts if supplied by an untrusted source. This is an inherent risk of processing external data and is noted as an informational finding.

2. Data Exfiltration: No commands or code snippets were found that attempt to exfiltrate sensitive user data (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) to external, non-whitelisted domains. All network operations demonstrated or performed by the run_batch_evaluation.py script are directed towards Azure AI services, which are trusted endpoints within the Azure ecosystem. The script reads user-provided data for evaluation and writes results to a user-specified output file, which is its intended, non-malicious function.

3. Obfuscation: No obfuscation techniques such as Base64 encoding, zero-width characters, Unicode homoglyphs, or other encoding methods were detected in any of the files. All code and text are clear and readable.

4. Unverifiable Dependencies: The skill instructs pip install azure-ai-projects azure-identity and mentions pip install aiohttp. These packages are official Azure SDKs or well-known Python libraries available on PyPI, which is a trusted source. These dependencies are noted as informational findings due to their trusted nature.

5. Privilege Escalation: No commands like sudo, chmod 777, or attempts to install system-level services were found. The pip install commands typically install packages into user-space or virtual environments without requiring elevated privileges.

6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying shell configuration files, creating cron jobs, or manipulating SSH authorized keys) were detected.

7. Metadata Poisoning: The metadata in SKILL.md (name, description) is benign and accurately reflects the skill's purpose.

8. Indirect Prompt Injection: As noted in point 1, the run_batch_evaluation.py script processes user-provided data. If this data contains malicious prompts, it could lead to indirect prompt injection against the models being evaluated. This is an informational risk inherent to the skill's functionality.

9. Time-Delayed / Conditional Attacks: No conditional logic (e.g., date/time checks, usage counters) designed to trigger malicious behavior at a later time or under specific circumstances was found. The future date in references/api-reference.md is documentation metadata, not a code trigger.

Conclusion: The skill is well-documented and uses standard, trusted practices for interacting with Azure services. The identified external dependencies are from trusted sources, and the risk of indirect prompt injection is inherent to the skill's function of processing user-provided evaluation data, not a vulnerability introduced by the skill's code itself. Therefore, the skill is deemed SAFE.