azure-compute-batch-java

The skill consists of three markdown files: SKILL.md, references/acceptance-criteria.md, and references/examples.md. These files primarily serve as documentation and provide Java code snippets demonstrating the usage of the Azure Batch SDK.

1. Prompt Injection: No patterns indicative of prompt injection were found in any of the files. The descriptions and instructions are straightforward and benign.

2. Data Exfiltration: The skill itself does not perform any data exfiltration. It correctly advises users to use environment variables (AZURE_BATCH_ENDPOINT, AZURE_BATCH_ACCOUNT, AZURE_BATCH_ACCESS_KEY) for sensitive information, and references/acceptance-criteria.md explicitly flags hardcoded credentials as incorrect. While the Azure Batch service, as demonstrated, can execute arbitrary commands and transfer files to/from specified URLs (potentially with SAS tokens), this is a core functionality of the service, not a malicious act by the skill's instructions. The skill does not provide malicious URLs or compromised tokens.

3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in any of the files.

4. Unverifiable Dependencies: The skill references Maven dependencies com.azure:azure-compute-batch and com.azure:azure-identity. These artifacts are part of the Azure/azure-sdk-for-java project, which is maintained by Microsoft and listed as a Trusted GitHub Organization. Therefore, these dependencies are considered low risk.

5. Privilege Escalation: The skill demonstrates how to configure Azure Batch tasks to run with ElevationLevel.ADMIN (e.g., sudo apt-get update). This is a feature of the Azure Batch service, allowing users to run tasks with necessary permissions. The skill merely illustrates this capability and does not instruct the AI agent to perform unauthorized privilege escalation.

6. Persistence Mechanisms: No instructions or code snippets were found that attempt to establish persistence mechanisms (e.g., modifying .bashrc, creating cron jobs).

7. Metadata Poisoning: The name and description fields in SKILL.md are benign and accurately reflect the skill's purpose.

8. Indirect Prompt Injection: As the skill is primarily documentation and code examples, it does not process external user-supplied data in a way that would make it susceptible to indirect prompt injection.

9. Time-Delayed / Conditional Attacks: No patterns for time-delayed or conditional attacks were detected.

Conclusion: The skill is a well-documented set of examples for a legitimate SDK. It adheres to good security practices for credential handling and uses trusted external sources. The powerful capabilities demonstrated are features of the underlying Azure Batch service, not malicious intent within the skill's instructions.