azure-search-documents-py
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill implements 'Agentic Retrieval' and 'Knowledge Base' features that ingest and process external data (Search Index documents) via an LLM.
- Ingestion Points:
references/agentic-retrieval.mdandscripts/setup_agentic_retrieval.pydefine workflows where an LLM (GPT-4o) synthesizes answers from retrieved search results. - Boundary Markers: Absent. There are no instructions to the LLM to ignore embedded commands within the retrieved documents.
- Capability Inventory: The LLM-generated responses are returned to the user/agent and can include citations and synthesized text. While the scripts themselves don't execute the LLM output, an agent using this skill to make decisions based on retrieved content is vulnerable to indirect injection.
- Sanitization: None detected. The skill passes retrieved content directly to the LLM for synthesis.
- DATA_EXFILTRATION (LOW): The skill performs network operations to Azure Search and Azure OpenAI endpoints. These are generally considered trusted in an enterprise context but represent a path for data movement. Use of
DefaultAzureCredentialis a security best practice that mitigates credential exposure risk.
Audit Metadata