The Agent Skills Directory

[Data Exposure & Exfiltration] (SAFE): The implementation utilizes the keyring library to manage Azure DevOps Personal Access Tokens (PAT) and OAuth tokens. This is a secure practice that avoids storing sensitive credentials in plain text files or environment variables.
[Data Exposure & Exfiltration] (SAFE): The download tool in scripts/attachments.py implements a whitelist check for hostnames (_ALLOWED_HOSTS). This ensures that the agent's Authorization headers are only sent to verified Azure DevOps domains, effectively preventing credential exfiltration through malicious attachment URLs.
[Command Execution] (SAFE): The scripts avoid using dangerous functions like os.system(), subprocess.run(), or eval(). All interactions with the Azure DevOps service are performed through the standard Python urllib.request library.
[Indirect Prompt Injection] (LOW): The skill has a large attack surface as it reads data from various Azure DevOps components (Wikis, Work Items, Pipelines). While an attacker could place malicious instructions in these locations, the skill itself does not perform any unsafe interpolation or execution of the retrieved data. It simply provides the data back to the agent as structured JSON.

azure-devops