Power Automate Debug

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Power Automate debugging skill, but it should be reviewed because it can edit and rerun live automations without clear safety gates.

Install only if you trust FlowStudio MCP and can provide a least-privilege token. Before allowing the agent to update or rerun a flow, require it to show the exact target flow, proposed change, expected downstream effects, rollback plan, and get explicit approval, preferably in a test environment first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is framed as a debugging aid, but it explicitly instructs the agent to modify live flow definitions and execute runs as part of the workflow. That expands the effective privilege and action surface from read-only diagnostics to state-changing operations, increasing the risk of unintended production changes or side effects during what a user may perceive as safe troubleshooting.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documented use of `update_live_flow` allows direct modification of production flow definitions despite the skill's stated debugging purpose. In an agent setting, this can lead to unauthorized or accidental changes, break working automations, or introduce logic changes without an adequate approval boundary.

Context-Inappropriate Capability

Low

Confidence: 90% confidence
Finding: The skill includes `resubmit_live_flow_run` and `trigger_live_flow`, which can cause real-world actions to be replayed or newly invoked. Even if intended for testing, these operations exceed passive diagnosis and may resend emails, recreate records, call external APIs, or duplicate downstream side effects.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The guide explicitly instructs the agent to modify a live flow with `update_live_flow` and then resubmit it, which exceeds the stated debugging/inspection purpose of the skill. In an agent context, this is dangerous because a user asking to diagnose a failure could unintentionally trigger production changes or side effects without a clear consent boundary.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: Recommending addition of a retry policy changes runtime behavior rather than merely diagnosing the problem. That can mask underlying failures, increase load on downstream systems, and cause repeated side effects if the HTTP action is not idempotent.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The post-fix checklist directs the agent to resubmit runs and validate downstream effects, which can actively execute business logic, send emails, write to SharePoint, or trigger child flows. In a debugging skill, these execution steps materially increase operational risk because they can cause unintended real-world actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The flow-update example performs a live definition change with no warning, review step, backup, or confirmation requirement. In a production automation context, silent mutation is dangerous because a debugging session can become an unapproved deployment, potentially disrupting business processes or masking the original issue.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The resubmission workflow encourages replaying prior runs without warning that the original trigger payload may cause duplicate external effects. In Power Automate, rerunning a flow can resend notifications, recreate tickets, write duplicate records, or re-execute integrations, making this a meaningful operational safety issue.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The workflow includes updating a live flow and resubmitting runs without any warning that these actions may alter production automations or trigger external effects. The absence of safety messaging is especially risky in an agent-operated skill because the agent may proceed automatically, creating unauthorized or unexpected changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal