azure-resource-manager-sql-dotnet

The skill azure-resource-manager-sql-dotnet provides extensive C# code examples for managing Azure SQL resources. The primary security concern identified is the repeated use of hardcoded placeholder credentials (e.g., AdministratorLoginPassword = "YourSecurePassword123!", StorageAccountAccessKey = "<storage-account-key>") within numerous code snippets across SKILL.md, references/acceptance-criteria.md, references/database-operations.md, and references/server-management.md.

Although references/acceptance-criteria.md explicitly includes an "Anti-Patterns to Avoid" section that warns against "Storing Passwords in Code" and the "Best Practices" in SKILL.md advises "never hardcode passwords in production", the pervasive nature of these hardcoded examples throughout the documentation increases the likelihood that users might inadvertently copy-paste them into their applications. This constitutes a CREDENTIALS_UNSAFE pattern.

The skill also includes dotnet add package commands for Azure.ResourceManager.Sql, Azure.Identity, Microsoft.Data.SqlClient, and Microsoft.EntityFrameworkCore.SqlServer. These packages are from trusted GitHub organizations (Azure and Microsoft). Therefore, these UNVERIFIABLE_DEPENDENCY findings are downgraded to LOW/INFO severity, as they refer to well-known, reputable sources and do not involve arbitrary code execution or data exfiltration to untrusted endpoints.

No other malicious patterns such as prompt injection, data exfiltration to untrusted domains, obfuscation, privilege escalation, or persistence mechanisms were detected. The skill's functionality aligns with its stated purpose of managing Azure SQL resources.

Findings:

• MEDIUM Findings:
  • Hardcoded Example Credentials

• SKILL.md, Line 70: AdministratorLoginPassword = "YourSecurePassword123!"
  • Hardcoded Example Credentials
• SKILL.md, Line 170: Password=<your-password>
  • Hardcoded Example Credentials
• references/acceptance-criteria.md, Line 44: AdministratorLoginPassword = "YourSecurePassword123!"
  • Hardcoded Example Credentials
• references/acceptance-criteria.md, Line 194: Password=YourSecurePassword123!
  • Hardcoded Example Credentials
• references/acceptance-criteria.md, Line 230: AdministratorLoginPassword = "HardcodedPassword123!"
  • Hardcoded Example Credentials
• references/database-operations.md, Line 160: StorageKey = "<storage-account-key>"
  • Hardcoded Example Credentials
• references/database-operations.md, Line 161: AdministratorLoginPassword = "YourPassword123!"
  • Hardcoded Example Credentials
• references/database-operations.md, Line 176: StorageKey = "<storage-account-key>"
  • Hardcoded Example Credentials
• references/database-operations.md, Line 177: AdministratorLoginPassword = "YourPassword123!"
  • Hardcoded Example Credentials
• references/database-operations.md, Line 206: StorageAccountAccessKey = "<storage-key>"
  • Hardcoded Example Credentials
• references/server-management.md, Line 10: AdministratorLoginPassword = "YourSecurePassword123!"
  • Hardcoded Example Credentials
• references/server-management.md, Line 26: AdministratorLoginPassword = "NewSecurePassword456!"
  • Hardcoded Example Credentials
• references/server-management.md, Line 46: AdministratorLoginPassword = "YourSecurePassword123!"
  • Hardcoded Example Credentials
• references/server-management.md, Line 140: StorageAccountAccessKey = "<storage-account-key>"

• LOW Findings:
  • Trusted External Dependency

• SKILL.md, Line 16: dotnet add package Azure.ResourceManager.Sql
  • Trusted External Dependency
• SKILL.md, Line 17: dotnet add package Azure.Identity
  • Trusted External Dependency
• SKILL.md, Line 199: dotnet add package Microsoft.Data.SqlClient
  • Trusted External Dependency
• SKILL.md, Line 201: dotnet add package Microsoft.EntityFrameworkCore.SqlServer