The Agent Skills Directory

The skill azure-ai-vision-imageanalysis-py and its associated acceptance-criteria.md file were analyzed. No critical, high, or medium severity threats were detected.

1. Prompt Injection: No patterns indicative of prompt injection (e.g., 'IMPORTANT: Ignore', role-play instructions, system prompt extraction) were found in the skill description, code comments, or examples.

2. Data Exfiltration: The skill demonstrates accessing VISION_ENDPOINT and VISION_KEY from environment variables, which is a secure practice for handling credentials. It explicitly warns against hardcoding credentials in the acceptance-criteria.md file. No attempts to read sensitive local files (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) or exfiltrate data to non-whitelisted external domains were found.

3. Obfuscation: No obfuscation techniques such as Base64 encoding, zero-width characters, Unicode homoglyphs, or URL/hex/HTML encoding were detected in either file.

4. Unverifiable Dependencies: The skill instructs users to install azure-ai-vision-imageanalysis via pip. It also implicitly relies on azure.identity and azure.core. These packages are part of the official Azure SDK for Python, maintained by Microsoft/Azure. The acceptance-criteria.md explicitly references https://github.com/Azure/azure-sdk-for-python. As microsoft and azure are listed as trusted GitHub organizations, this dependency is considered from a trusted external source. This finding is downgraded to LOW/INFO severity, as per the protocol for trusted external sources.

5. Privilege Escalation: No commands like sudo, chmod +x, chmod 777, or attempts to modify system files or install services were found.

6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, creating cron jobs, or altering SSH authorized keys) were detected.

7. Metadata Poisoning: The name and description fields in SKILL.md are benign and accurately reflect the skill's purpose. No malicious instructions were found hidden in metadata.

8. Indirect Prompt Injection: The skill processes image data from URLs or local files. As with any skill that processes external content, there is an inherent, indirect risk of prompt injection if the image itself contains malicious data that could influence an AI's interpretation. This is an informational warning about a general risk, not a specific vulnerability in the skill's code.

9. Time-Delayed / Conditional Attacks: No conditional logic designed to trigger malicious behavior based on time, usage count, or specific environmental conditions was found.

Conclusion: The skill is well-documented, promotes secure coding practices, and relies on official, trusted external dependencies. The identified external dependencies are from a trusted source, leading to an overall SAFE verdict.