The Agent Skills Directory

Indirect Prompt Injection (MEDIUM): The skill provides a framework for processing external user messages that are treated as trusted input.
Ingestion points: External data enters through the IAgentHttpAdapter.ProcessAsync method at the /api/messages endpoint in SKILL.md and references/acceptance-criteria.md.
Boundary markers: Absent. There are no delimiters or instructions provided to differentiate user input from system instructions.
Capability inventory: The agent can send activities (SendActivityAsync), delete conversation state (DeleteStateAsync), and interact with Copilot Studio engines (CopilotClient).
Sanitization: Absent. User input is echoed directly in the OnMessageAsync handler without validation.
Data Exposure & Exfiltration (MEDIUM): The error handling implementation leads to potential information disclosure.
Evidence: In SKILL.md, the OnTurnErrorAsync method captures exception.Message and sends it to the user. This practice frequently leaks sensitive internal details, such as stack traces or internal configuration, to end-users.
External Downloads (LOW): The skill requires several NuGet packages.
Evidence: dotnet add package Microsoft.Agents.* commands in SKILL.md.
Trust Status: Packages belong to the microsoft organization, which is a Trusted External Source. Per [TRUST-SCOPE-RULE], this finding is downgraded to LOW/INFO.
Scanner Alert (INFO): An automated scanner flagged 'Microsoft.Agents.Authentication.Ms' as a phishing URL.
Analysis: This appears to be a false positive where the scanner misidentified the .Msal package namespace suffix as a Montserrat (.ms) TLD phishing domain. No evidence of malicious URLs was found in the code.

m365-agents-dotnet