m365-agents-dotnet

================================================================================

🔵 VERDICT: LOW

The skill describes how to build agents using official Microsoft SDKs. The primary findings relate to external dependencies from trusted sources and the handling of sensitive configuration data. While the skill provides examples that include placeholders for client secrets, it also explicitly recommends best practices for securing these secrets (e.g., using Key Vault or environment variables). No direct malicious behavior, obfuscation, or prompt injection attempts were detected.

Total Findings: 2

🔵 LOW Findings: • Potential Credential Exposure in Example Configuration

• SKILL.md:29: The appsettings.json example includes placeholders for ClientSecret and AppClientSecret. While the 'Best Practices' section advises storing these securely (Key Vault, env vars), the example itself shows them in a configuration file, which could be insecure if not handled properly in production.

ℹ️ TRUSTED SOURCE References: • External Dependency Download

• SKILL.md:20: The skill instructs to install packages using dotnet add package Microsoft.Agents.*. These packages are from the Microsoft organization on NuGet, which is a trusted source. This is noted as an informational finding due to the trusted nature of the source. • External Dependency Reference
• references/acceptance-criteria.md:3: The skill references https://github.com/microsoft/agents and https://www.nuget.org/packages?q=Microsoft.Agents. These are trusted sources from the microsoft organization.

================================================================================