m365-agent-developer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): Indirect Prompt Injection Surface. The skill provides the agent with high-privilege capabilities to execute local commands (
npm install,npm run compile,atk provision). The 'Critical Workflow Rules' inSKILL.mdrequire the agent to automatically redeploy after any code changes derived from user requirements. This lack of a manual review step between processing untrusted user input and executing deployment commands on the host system represents a significant security risk.\n - Ingestion points: User requirements gathering in Step 1 and TypeSpec code implementation in Step 3 of
SKILL.md.\n - Boundary markers: No specific boundary markers or instruction-ignoring delimiters are defined for user-provided requirements or code blocks.\n
- Capability inventory: Execution of
npm run compileandatk provisionvianpx(documented inSKILL.md,references/examples.md, andREADME.md).\n - Sanitization: No sanitization or validation of user-provided TypeSpec code or requirements is performed before execution.\n- EXTERNAL_DOWNLOADS (LOW): The skill instructs the agent to download and execute code from a remote source via
npx.\n - Evidence: Use of
npx -p @microsoft/m365agentstoolkit-cli@latest atk provisioninSKILL.mdandREADME.md.\n - Trusted source: The package resides within the
@microsoftscope, which is a verified trusted organization. The finding is downgraded to LOW per the [TRUST-SCOPE-RULE].
Recommendations
- AI detected serious security threats
Audit Metadata