azure-ai-vision-imageanalysis-java

The skill consists of markdown files (SKILL.md, references/acceptance-criteria.md, references/examples.md) that describe how to use the Azure AI Vision Image Analysis SDK for Java. It includes code snippets for installation, client creation, and various image analysis operations.

1. Prompt Injection: No patterns indicative of prompt injection were found in any of the files, including metadata fields.

2. Data Exfiltration:

• The skill demonstrates reading local image files (e.g., image.jpg, document.jpg, photo.jpg) using BinaryData.fromFile(new File("image.jpg").toPath()). This is an expected operation for an image analysis skill and is not considered malicious in this context. (LOW)
• It makes network requests to the Azure AI Vision service, which is the core functionality of the skill. It also uses generic example URLs (e.g., https://example.com/image.jpg) and one specific example URL https://raw.githubusercontent.com/Azure-Samples/cognitive-services-sample-data-files/master/ComputerVision/Images/landmark.jpg. The latter is from a trusted GitHub source (Azure-Samples under microsoft). No sensitive data is exfiltrated to untrusted domains. (LOW/INFO)
• The skill explicitly promotes using environment variables for API keys and endpoints (VISION_ENDPOINT, VISION_KEY, AZURE_CLIENT_ID, etc.) and warns against hardcoding credentials, which is a strong positive security practice.

3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in any of the files.

4. Unverifiable Dependencies:

• The skill instructs on installing Maven dependencies: com.azure:azure-ai-vision-imageanalysis and com.azure:azure-identity. These are official Azure SDKs, maintained by Microsoft, which is a trusted organization. (LOW/INFO)
• The references/acceptance-criteria.md file also points to the official GitHub repository https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/vision/azure-ai-vision-imageanalysis, confirming the trusted source. (LOW/INFO)

5. Privilege Escalation: No commands or instructions that attempt to acquire elevated privileges (e.g., sudo, chmod 777) were found.

6. Persistence Mechanisms: No patterns for establishing persistence (e.g., modifying .bashrc, creating cron jobs) were detected.

7. Metadata Poisoning: The skill's name and description are benign and accurately reflect its purpose.

8. Indirect Prompt Injection: As a skill that processes external content (images from files or URLs), there is an inherent, indirect risk of prompt injection if malicious instructions were to be embedded within an image in a way the AI could interpret. This is a general risk for such skills and not a direct vulnerability in the skill's code itself. (INFO)

9. Time-Delayed / Conditional Attacks: No conditional logic or time-based triggers for malicious behavior were found.

Conclusion: The skill is well-documented, promotes secure practices for credential handling, and relies on trusted external sources. The identified actions (local file access, external network requests for images/SDKs) are part of its legitimate functionality and are handled responsibly. The overall security posture is SAFE.