azure-ai-voicelive-java

The skill is entirely descriptive, providing documentation and code examples for a Java SDK. It does not contain any executable scripts or commands that the AI agent would run directly.

Threat Category Analysis:

1. Prompt Injection: No prompt injection patterns were found. The skill's content is purely instructional for human developers.
2. Data Exfiltration: No direct data exfiltration commands are present. The skill correctly advises using environment variables (System.getenv()) for sensitive information like API keys and endpoints, which is a secure practice.
3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, etc.) were detected in the skill files.
4. Unverifiable Dependencies: The skill references several Maven dependencies (e.g., com.azure:azure-ai-voicelive, com.azure:azure-identity, io.projectreactor:reactor-core). These are external libraries that a user would include in their Java project. All identified dependencies are from trusted GitHub organizations (Azure / Microsoft, Project Reactor). Since the skill itself does not execute these dependencies but merely describes them, and they are from trusted sources, this is noted as an informational finding.
5. Privilege Escalation: No commands or instructions for privilege escalation (e.g., sudo, chmod 777) were found.
6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, creating cron jobs) were detected.
7. Metadata Poisoning: The skill's metadata (name, description) is benign and accurately reflects its purpose.
8. Indirect Prompt Injection: The skill describes an SDK for building voice AI applications. Any application built using this SDK that processes untrusted user input (e.g., spoken commands) could potentially be susceptible to indirect prompt injection. However, this is a general risk inherent to the nature of voice AI applications and not a direct vulnerability within the skill's instructions themselves. This is an informational warning about the domain.
9. Time-Delayed / Conditional Attacks: No patterns indicating time-delayed or conditional malicious behavior were found.

Adversarial Reasoning: From an adversarial perspective, this skill is low-risk because it is purely descriptive. It provides documentation and examples for a Java SDK, which a user would then compile and run in their own environment. The skill itself does not execute any code or perform any actions on the agent's behalf beyond providing information. The references to external code are to well-known, trusted organizations.

Conclusion: The skill is a documentation-only skill. It does not contain any executable code or instructions for the AI agent to perform actions that could lead to security vulnerabilities.