Azure Bing Grounding

Security checks across malware telemetry and agentic risk

Overview

This looks like a cloud-backed Azure/Bing search assistant, with the main caveat that users should treat queries as data sent to external services.

Before installing, confirm you are comfortable with user queries and possibly surrounding context being processed by Azure/Bing services. Do not use it with secrets, confidential internal data, personal data, or regulated information unless your policy permits that cloud processing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly describes sending user queries to Azure AI Agent Service and Bing Grounding Search, but it does not clearly warn that prompts and retrieved content will be transmitted to third-party cloud services. In an agent skill context, this can lead to unintentional disclosure of sensitive prompts, internal data, or regulated information because users and operators may assume the skill is local unless told otherwise.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal