azure-integrations
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: PowerShell deployment scripts (deploy-appservice.ps1 and deploy-swa.ps1) execute local commands using Azure CLI (az), Static Web Apps CLI (swa), and Node.js package managers (npm, pnpm, yarn) to orchestrate cloud resource creation and code deployment.
- [EXTERNAL_DOWNLOADS]: The skill facilitates the download of application dependencies and deployment tools from public package registries during the build and setup stages of the deployment pipeline.
- [PROMPT_INJECTION]: Analysis of indirect injection surfaces (Category 8): 1. Ingestion points: Local project configuration files (package.json, staticwebapp.config.json) and user-provided connection strings. 2. Boundary markers: No explicit prompt boundary markers are used in the automated scripts. 3. Capability inventory: Subprocess execution of az, swa, and npm; file system read/write; network access to Azure APIs. 4. Sanitization: The skill utilizes PowerShell ValidatePattern for resource names and the PromptForCredential method for secure string handling of sensitive inputs.
- [SAFE]: The skill proactively implements cloud security best practices, including the use of Azure Managed Identity to eliminate hardcoded service-to-service credentials, Azure Key Vault for centralized secret management, and OIDC federation for secure CI/CD authentication without long-lived GitHub secrets.
Audit Metadata