azure-storage-blob-py

The skill SKILL.md and its accompanying references/acceptance-criteria.md provide comprehensive documentation and code examples for interacting with Azure Blob Storage using Python. The analysis found the following:

1. Prompt Injection: No patterns indicative of prompt injection were found in either file. The language is instructional and does not attempt to override the agent's behavior or bypass safety guidelines.

2. Data Exfiltration: The skill's core purpose is to facilitate data transfer (upload/download) to and from Azure Blob Storage. The examples provided use local files (./local-file.txt, ./downloaded.txt) and do not reference sensitive system files (e.g., ~/.ssh/id_rsa, ~/.aws/credentials). The skill explicitly warns against hardcoding secrets and recommends using DefaultAzureCredential for authentication, which is a strong security practice. While an agent could be instructed to use this skill to upload sensitive local data to a malicious blob storage account, this is a risk inherent to the functionality of any data transfer skill, not a vulnerability within the skill's instructions themselves. Therefore, no direct malicious data exfiltration patterns were detected in the skill's code or instructions.

3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in either file.

4. Unverifiable Dependencies (LOW): The SKILL.md file instructs the user to run pip install azure-storage-blob azure-identity. These packages are maintained by the azure organization on GitHub, which is listed as a trusted external source. The references/acceptance-criteria.md also references https://github.com/Azure/azure-sdk-for-python, another trusted source. This is noted as a LOW severity finding because it involves external downloads, but the source is trusted.

5. Privilege Escalation: No commands or instructions that attempt to acquire elevated privileges (e.g., sudo, chmod +x, chmod 777, modifications to system files) were found.

6. Persistence Mechanisms: No instructions for establishing persistence (e.g., modifying shell configuration files, creating cron jobs, setting up LaunchAgents/Daemons) were found.

7. Metadata Poisoning: The metadata fields (name, description, package) in SKILL.md are benign and accurately describe the skill's purpose.

8. Indirect Prompt Injection (INFO): As the skill enables interaction with arbitrary blob content, an agent processing data downloaded from blob storage could theoretically be susceptible to indirect prompt injection if the blob content itself contains malicious instructions. This is a general risk for any skill that processes external, untrusted data, and not a direct vulnerability in the skill's instructions.

9. Time-Delayed / Conditional Attacks: No conditional logic based on dates, times, usage counts, or environment variables that would trigger malicious behavior were found.

Conclusion: The skill is well-documented, provides legitimate functionality, and adheres to good security practices by recommending secure authentication methods. The external dependencies are from trusted sources. The potential risks are inherent to the nature of a data transfer skill rather than malicious intent within the skill's instructions.