azure-compliance
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill possesses an attack surface for indirect prompt injection where malicious instructions could be embedded in Azure resource metadata (names, tags, properties) and ingested by the agent during analysis.
- Ingestion points: Data enters the agent context through
azqrscan reports (Excel sheets such as Recommendations and ImpactedResources), Azure Resource Graph query results, and Key Vault item metadata. - Boundary markers: Absent. The instructions do not specify the use of delimiters or 'ignore embedded instructions' warnings when processing resource lists.
- Capability inventory: The agent has access to sensitive tools including
keyvault_secret_get(retrieves secret values) andmcp_azure_mcp_extension_azqr(executes external scans). - Sanitization: Absent. There is no explicit sanitization or validation of resource content mentioned in the workflow.
- [Dynamic Execution] (LOW): The skill utilizes an MCP tool to dynamically generate CLI commands based on user intent.
- Evidence: The skill references
mcp_azure_mcp_extension_cli_generateto createaz graph querycommands inreferences/azure-resource-graph.md. This is classified as LOW severity as it follows standard patterns for template-based script generation. - [External Downloads] (SAFE): The skill references external tools and libraries, but all are from trusted sources or standard registries.
- Evidence: References to
azqr(Azure Quick Review) point toazure.github.io, which is a trusted organization. SDK installation instructions inreferences/sdk/use standard package managers (pip, npm, cargo) for legitimate Azure SDKs.
Audit Metadata