azure-mgmt-botservice-py
Audited by Gen Agent Trust Hub on Feb 13, 2026
The skill SKILL.md and its accompanying references/acceptance-criteria.md primarily serve as documentation and code examples for interacting with the Azure Bot Service Management SDK for Python.
1. Prompt Injection: No patterns indicative of prompt injection (e.g., 'IMPORTANT: Ignore', 'You are now DAN') were found in either the skill description or the code examples.
2. Data Exfiltration: No commands or code snippets were found that attempt to read sensitive local files (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) or exfiltrate data to non-whitelisted external domains. The skill does handle sensitive information like OAuth client_secret during connection setup, but the examples use placeholders (<oauth-client-secret>) and the 'Best Practices' section explicitly recommends storing such secrets securely (e.g., in Key Vault), indicating good security awareness.
3. Obfuscation: No obfuscation techniques such as Base64 encoding, zero-width characters, homoglyphs, or excessive URL/hex/HTML encoding were detected in either file.
4. Unverifiable Dependencies: The skill instructs the user to install Python packages via pip install azure-mgmt-botservice and pip install azure-identity. These packages are part of the official Azure SDK for Python, maintained by Microsoft (a trusted GitHub organization: Azure/azure-sdk-for-python). While any external dependency introduces a degree of risk, the trusted source significantly downgrades the severity of this finding. This is noted as a LOW severity finding.
5. Privilege Escalation: No commands like sudo, chmod +x, chmod 777, or attempts to install system services were found.
6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, creating cron jobs, or manipulating authorized_keys) were detected.
7. Metadata Poisoning: The skill's metadata (name, description, triggers) and the content of the references/acceptance-criteria.md file are benign and accurately reflect the skill's purpose. No hidden malicious instructions were found.
8. Indirect Prompt Injection: The skill itself does not process arbitrary external content in a way that would make it susceptible to indirect prompt injection. The bots managed by this skill might be, but that is outside the scope of this skill's analysis.
9. Time-Delayed / Conditional Attacks: No conditional logic based on dates, usage counts, or specific environment triggers that would indicate a time-delayed or conditional attack was found.
Overall, the skill is well-documented and follows good security practices for managing Azure resources. The only finding is the installation of dependencies from a trusted external source, which is considered low risk.