azure-servicebus-py

The skill consists of a main markdown file (SKILL.md), several reference markdown files, and an executable Python script (scripts/setup_servicebus.py).

1. Prompt Injection: No patterns indicative of prompt injection were found in any of the files.
2. Data Exfiltration: The skill uses DefaultAzureCredential and environment variables (SERVICEBUS_FULLY_QUALIFIED_NAMESPACE, SERVICEBUS_CONNECTION_STRING) for authentication, which are standard and secure practices for Azure services. All network interactions are with Azure Service Bus, a legitimate cloud service. No sensitive local files are accessed, and no data is exfiltrated to untrusted external domains.
3. Obfuscation: No obfuscation techniques (e.g., Base64, zero-width characters, homoglyphs) were detected in any of the files.
4. Unverifiable Dependencies: The SKILL.md instructs users to run pip install azure-servicebus azure-identity. These packages are official Azure SDK components, maintained by Microsoft, which is a trusted GitHub organization. This dependency installation is noted as a LOW severity finding due to being an external download, but its risk is mitigated by the trusted source.
5. Privilege Escalation: No commands or patterns (e.g., sudo, chmod 777, service installations) that would attempt to escalate privileges were found.
6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, creating cron jobs, systemd services) were detected.
7. Metadata Poisoning: The metadata fields in SKILL.md (name, description) are benign and do not contain malicious instructions.
8. Indirect Prompt Injection: The skill does not process arbitrary external user-supplied content in a way that would lead to indirect prompt injection. The sql_filter argument in scripts/setup_servicebus.py is passed to the Azure SDK's SqlRuleFilter, which is designed to handle Service Bus filter expressions securely, not arbitrary SQL on a local database.
9. Time-Delayed / Conditional Attacks: No conditional logic was found that would trigger malicious behavior based on time, usage, or specific environmental factors.

Verdict Justification: The overall verdict is LOW because the only identified finding is the installation of external dependencies (azure-servicebus, azure-identity) via pip. However, these dependencies are from a highly trusted source (Microsoft/Azure SDK), significantly mitigating the risk. All other threat categories were found to be SAFE.