declarative-agent-developer
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Command Execution: The skill frequently invokes the Microsoft 365 Agents Toolkit (ATK) CLI using the
npxutility. This allows for the automation of agent scaffolding, provisioning, and deployment. As the CLI is a first-party tool from the vendor, this is a standard and expected pattern for this development environment. - Network Operations: To support features like Model Context Protocol (MCP) server integration and OAuth registration, the skill utilizes
curlfor network requests. These operations are used for probing well-known metadata endpoints and performing protocol handshakes necessary for plugin functionality. - Workspace Security Gates: The skill implements a set of mandatory first steps and "hard rejection rules" to ensure it only operates within appropriate project contexts. It explicitly refuses to create or modify files in non-agent projects, which serves as a safeguard against accidental workspace corruption.
- Credential Management: Instructions within the skill guide the user to store sensitive OAuth client secrets in gitignored environment files (
.env.*.user). This practice minimizes the risk of accidental secret exposure in version control systems. - Indirect Prompt Injection Surface: The skill processes external data such as OpenAPI specifications and MCP tool definitions to generate agent capabilities. This represents a potential surface for indirect prompt injection if the external sources are compromised. The skill mitigates this by enforcing schema validation and requiring user interaction for authentication steps.
- Ingestion points: OpenAPI specs from URLs or local files (
references/api-plugins.md), MCP tool definitions from remote servers (references/mcp-plugin.md). - Boundary markers: The skill relies on JSON/YAML parsing and ATK CLI validation; explicit instruction-level boundary markers are not specified in the manifest logic.
- Capability inventory: File system modification (scaffolding/editing), shell command execution (ATK CLI), and network requests (curl).
- Sanitization: The skill relies on the ATK CLI's internal validation mechanisms and requires the agent to present a test link for manual user verification after provisioning.
Audit Metadata