The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to process content from an external source (Azure chat threads) that can contain malicious instructions. Ingestion points: Untrusted data enters the agent context through threadClient.listMessages() and threadClient.getMessage() in SKILL.md. Boundary markers: The code snippets do not include delimiters or instructions to treat message content as data rather than commands. Capability inventory: The skill exposes high-privilege actions including addParticipants, removeParticipant, and deleteChatThread in SKILL.md. Sanitization: No validation or sanitization of the message content is demonstrated before it is used by the agent.
Data Exposure (LOW): The skill facilitates the use of Azure access tokens and resource endpoints. While the documentation in references/acceptance-criteria.md correctly identifies hardcoded credentials as an anti-pattern and recommends environment variables, the inherent handling of these sensitive credentials constitutes a low-severity data exposure surface.

azure-communication-chat-java