azure-devops-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains multiple examples that place PATs, passwords, service principal keys, and webhooks directly in command-line flags or config files (e.g., --token YOUR_PAT_TOKEN, --password {password-or-pat}, serviceprincipalkey in JSON, curl with $slack_webhook), which encourages embedding secrets verbatim in generated commands or files.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow explicitly shows commands that import and create pipelines from public Git repositories (e.g., "az repos import create --git-source-url https://github.com/user/repo" and "az pipelines create --repository https://github.com/Org/Repo") and download artifacts / fallback URLs (e.g., curl "$BACKUP_URL"), which clearly ingest untrusted, user-generated third‑party content (repo files, pipeline YAML, artifacts) that can influence tool actions and automation defined in the SKILL.md examples.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisites include the command "curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash", which fetches and immediately executes remote install script (remote code execution) and is presented as a required dependency for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill includes explicit instructions that run privileged install commands (e.g., "curl ... | sudo bash") which request sudo elevation and can modify the host system, so it pushes the agent toward privileged actions on the machine.