Skills
skills/microsoft/vscode/azure-pipelines/Gen Agent Trust Hub

azure-pipelines

Pass

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [Command Execution]: The skill uses child_process.spawn and execSync to interact with the Azure CLI (az).
  • [Evidence]: This is a core part of its functionality to queue builds, check status, and manage extensions. To mitigate risks, the script implements strict regex-based validation for all user-provided inputs including build IDs, branch names, and pipeline variables.
  • [File Operations]: The skill performs file writes to the system's temporary directory for request bodies, logs, and artifacts.
  • [Evidence]: fs.writeFileSync is used to save downloaded logs and artifacts to os.tmpdir(). The script includes path traversal protections, specifically checking for .. or leading slashes in artifact names to ensure files are written only to the intended locations.
  • [Network Operations]: The script uses fetch and az rest to communicate with Azure DevOps APIs.
  • [Evidence]: These operations are directed solely at the dev.azure.com/monacotools organization. Authentication is managed securely via the Azure CLI's token management system (az account get-access-token), avoiding hardcoded credentials.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 1, 2026, 11:06 AM