The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill operates on untrusted repository content, including azure.yaml, Bicep templates, and Terraform configurations, while wielding high-privilege deployment tools (mcp_azure_mcp_azd, Azure CLI). An attacker could embed instructions within these files to manipulate the agent's logic during deployment.
Ingestion points: Processes azure.yaml, .azure/preparation-manifest.md, infra/main.bicep, and main.parameters.json.
Boundary markers: None explicitly implemented to isolate instructions from data in these files.
Capability inventory: Full resource provisioning, modification, and deletion via Azure CLI, AZD, and Terraform.
Sanitization: No evidence of sanitization or validation of the logic contained within infrastructure-as-code files.
[Command Execution] (MEDIUM): The documentation includes highly destructive commands such as az group delete --yes, azd down --force --purge, and terraform destroy -auto-approve. Although the skill's internal rules mandate the use of ask_user for these actions, the inclusion of automated 'yes/force' flags increases the risk of accidental or malicious execution if the agent's reasoning is compromised.
[Data Exposure & Exfiltration] (LOW): The verification recipes (e.g., recipes/azd/verify.md) instruct the agent to use curl to check deployment health. While legitimate, this pattern could be abused to exfiltrate sensitive environment data to an external endpoint if the target URL is manipulated.

azure-deploy