azure-ai-voicelive-py

The skill consists of five markdown files: SKILL.md, references/acceptance-criteria.md, references/api-reference.md, references/examples.md, and references/models.md. The primary purpose is to document and provide examples for the azure-ai-voicelive Python SDK.

1. Prompt Injection: No patterns indicative of prompt injection were found. The instructions field in RequestSession is for configuring the AI model's behavior, not for manipulating the agent itself.

2. Data Exfiltration:

• The skill instructs pip install azure-ai-voicelive aiohttp azure-identity. These are well-known, trusted Python packages from reputable organizations (Microsoft, Python community). While pip install is a form of external download, it is downgraded to LOW/INFO due to the trusted nature of the packages.
• File I/O operations (Path().read_bytes(), Path().write_bytes()) are present in references/examples.md for processing audio files. These operations are consistent with the skill's stated purpose and do not target sensitive file paths.
• Network communication is exclusively with Azure Cognitive Services endpoints (e.g., https://eastus.api.cognitive.microsoft.com), which are official and trusted. No attempts to connect to non-whitelisted or suspicious domains were detected.
• No sensitive file paths (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) are accessed or exfiltrated.

3. Obfuscation: No malicious obfuscation techniques (e.g., multi-layer Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding for hidden commands) were detected. The use of base64.b64encode and base64.b64decode is for standard audio data encoding, not for hiding malicious content.

4. Unverifiable Dependencies: The pip install command for azure-ai-voicelive, aiohttp, and azure-identity constitutes an external dependency. However, as noted above, these are from trusted sources, leading to a LOW/INFO severity for this finding. A reference to https://github.com/Azure/azure-sdk-for-python is also present, which is a trusted GitHub organization, also rated LOW/INFO.

5. Privilege Escalation: No commands or instructions for privilege escalation (e.g., sudo, chmod 777, service installation, modification of system files) were found.

6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying shell configuration files, creating cron jobs, LaunchAgents, systemd services, or SSH authorized_keys) were detected.

7. Metadata Poisoning: The name and description fields in SKILL.md are benign and accurately reflect the skill's purpose.

8. Indirect Prompt Injection: The skill processes user audio and text input, which inherently carries a risk of indirect prompt injection if the underlying AI model is vulnerable. This is an INFO level warning about a general risk associated with LLM interactions, not a vulnerability introduced by the skill's code itself.

9. Time-Delayed / Conditional Attacks: No conditional logic designed to trigger malicious behavior based on time, usage, or environment variables was found.

Conclusion: The skill is well-documented and provides safe examples for interacting with the Azure AI Voice Live SDK. All identified external dependencies and command executions are to trusted sources and for legitimate purposes. No malicious patterns or high-severity threats were detected.