azure-resource-manager-playwright-dotnet

Detailed Analysis

1. Prompt Injection

No patterns indicative of prompt injection were found in either SKILL.md or references/acceptance-criteria.md. The content is purely instructional and descriptive, focusing on the usage of an Azure SDK.

2. Data Exfiltration

No commands or code snippets were found that attempt to read sensitive local files (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) or exfiltrate data to untrusted external domains. The C# code examples demonstrate interaction with Azure APIs, which is the intended and legitimate function of the Azure SDK. Environment variables for Azure credentials are mentioned for setup but are not shown being exfiltrated.

3. Obfuscation

No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in either file.

4. Unverifiable Dependencies

• SKILL.md includes instructions for installing .NET packages:

  dotnet add package Azure.ResourceManager.Playwright
  dotnet add package Azure.Identity
  

  These packages are from nuget.org, which is the official .NET package repository and is considered a trusted source, analogous to npmjs.com or pypi.org which are whitelisted. The packages themselves are official Azure SDKs.
• references/acceptance-criteria.md explicitly links to https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/playwright/Azure.ResourceManager.Playwright and https://www.nuget.org/packages/Azure.ResourceManager.Playwright. The Azure GitHub organization is on the list of Trusted GitHub Organizations.
• Finding: LOW

• External dependency from trusted sources. This finding is noted but does not elevate the overall verdict due to the trusted nature of the sources.

5. Privilege Escalation

No commands like sudo, chmod +x, chmod 777, or attempts to install services or modify system files were found.

6. Persistence Mechanisms

No attempts to modify user configuration files (.bashrc, .zshrc), create cron jobs, or establish other persistence mechanisms were detected.

7. Metadata Poisoning

The name and description fields in SKILL.md are benign and accurately reflect the skill's purpose. No malicious instructions were embedded in metadata.

8. Indirect Prompt Injection

Not applicable. The skill does not process external, untrusted user-generated content that could contain hidden instructions.

9. Time-Delayed / Conditional Attacks

No conditional logic was found that would trigger malicious behavior based on dates, usage counts, or specific environment variables.

Adversarial Reasoning

The skill primarily serves as documentation and code examples for an official Azure SDK. Attackers typically hide malicious code in executable scripts or obscure parts of instructions. Here, the instructions are clear C# code examples and dotnet commands for environment setup. The explicit recommendation to "Always use DefaultAzureCredential — never hardcode keys" is a strong indicator of security awareness, making it less likely for the skill to contain hidden credential exfiltration. The references to official Microsoft documentation and GitHub repositories further reinforce its legitimacy. No suspicious "cleanliness" or missing error handling that would suggest hidden behavior was observed; error handling is explicitly demonstrated.