azure-cosmos-java
Audited by Gen Agent Trust Hub on Feb 13, 2026
Prompt Injection: No patterns indicative of prompt injection were found in any of the provided files. The content is purely instructional and descriptive.
Data Exfiltration: No commands or instructions were found that attempt to exfiltrate sensitive data. The skill correctly advises using environment variables for credentials (COSMOS_ENDPOINT, COSMOS_KEY) and demonstrates retrieving them via System.getenv(). It also recommends DefaultAzureCredentialBuilder for secure authentication. An 'INCORRECT' example explicitly warns against hardcoding credentials, serving as a security best practice.
Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in any of the files.
Unverifiable Dependencies: The skill references Maven dependencies (com.azure:azure-cosmos, com.azure:azure-sdk-bom, com.azure:azure-identity) and a GitHub repository (https://github.com/Azure/azure-sdk-for-java). All these sources belong to the com.azure or Azure GitHub organizations, which are listed as trusted external sources. These references are for documentation purposes and do not involve the skill executing external code directly. Therefore, these are noted as informational findings (LOW/INFO) and do not elevate the overall risk.
Privilege Escalation: No commands or instructions were found that attempt to escalate privileges (e.g., sudo, chmod +x, chmod 777, service installations).
Persistence Mechanisms: No instructions were found that attempt to establish persistence (e.g., modifying shell profiles, creating cron jobs, LaunchAgents, systemd services, or SSH authorized_keys).
Metadata Poisoning: The metadata fields (name, description) in SKILL.md are benign and accurately describe the skill's purpose. No malicious instructions were embedded.
Indirect Prompt Injection: As the skill provides guidance on interacting with a database, there's a general theoretical risk of indirect prompt injection if the database stores user-controlled data that is later processed by an LLM. However, the skill's instructions themselves do not introduce this vulnerability, and it's a general concern for any data-handling skill. This is not a direct threat from the skill's code.
Time-Delayed / Conditional Attacks: No conditional logic or time-based triggers for malicious actions were detected.
Hardcoded Credentials: The skill explicitly warns against hardcoding credentials in references/acceptance-criteria.md, demonstrating good security awareness. Placeholders like <YOUR ENDPOINT HERE> are used in references/examples.md to indicate where user input is expected, not as actual hardcoded values.
SQL Injection: The skill explicitly warns against SQL injection vulnerabilities when constructing queries via string concatenation in references/acceptance-criteria.md, and provides correct parameterized query examples. This is a positive security feature.
Overall, the skill is purely informational and educational, providing guidance on using a trusted SDK securely. It does not contain any executable code that the agent would run, making it inherently safe in terms of direct execution threats.