Powerplatform
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill requires the agent to execute a bundled shell script,
tools/package-solution.sh, to automate the packaging of generated JSON flows into ZIP archives. Running non-standard scripts provided with a skill is a potential vector for system compromise if the scripts are modified or contain unsafe operations. - PROMPT_INJECTION (LOW): The skill's primary function is to transform natural language into complex Power Automate logic, which constitutes a surface for indirect prompt injection. A malicious input could trick the agent into generating a flow with harmful side effects, such as unauthorized data transmission.
- Ingestion points: Natural language descriptions provided by the user to define workflow logic.
- Boundary markers: No explicit delimiters or instructions are provided to the agent to treat user-provided text as untrusted data during the flow generation process.
- Capability inventory: The skill possesses the ability to read and write files within the user's work directory (
~/Projects/work/scripts/) and execute thepackage-solution.shscript. - Sanitization: There is no evidence of automated validation or sanitization of the generated flow JSON against security or compliance policies.
- Mitigation: The skill includes a 'Limitations' section explicitly stating that flows cannot be deployed directly and must be imported manually, providing a critical human-in-the-loop review stage.
Audit Metadata