Agent Framework Azure Ai Py

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for building Azure AI agents; its examples use powerful cloud tools, but the behavior is purpose-aligned and not hidden.

Install only if you are building Azure AI Foundry agents. Before running code copied from the examples, confirm the Azure project and identity, pin SDK versions, avoid uploading private files or prompts unless approved, require approval for sensitive MCP actions, restrict allowed tools, and keep tokens out of source code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The debugging example prints raw tool-call arguments during streaming, which can include user prompts, retrieved document snippets, file contents, API parameters, or secrets passed to tools. In real deployments, debug logs are often centralized and retained, so this creates a practical sensitive-data exposure risk even though the example is framed as troubleshooting guidance.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill demonstrates HostedWebSearchTool and MCP/network-connected tooling without warning that prompts, retrieved context, files, or other user-supplied data may be transmitted to external services. In an agent-building skill, this omission can lead developers to integrate networked tools into sensitive workflows without consent, data-classification checks, or egress controls, creating privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The conversation-thread example promotes persistent threads and shows saving a conversation ID, but does not warn that thread contents may be retained and reused across turns or resumed later. This can cause developers to place secrets, personal data, or tenant-specific context into persistent conversations without understanding retention, access, or cross-session exposure risks.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The OpenAPI authentication example shows sending requests to an external API with authorization headers but provides no warning that prompts, tool parameters, or returned data may leave the local trust boundary. This can lead developers to integrate third-party services without adequate user notice, data classification, or secret-handling controls.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The file upload workflow sends a local CSV to a remote Azure agents service but does not warn that local file contents are being transmitted and stored outside the local environment. This omission can cause accidental disclosure of sensitive business or personal data when developers copy the example with real files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation repeatedly uses approval_mode="never_require" for MCP tools, which normalizes automatic execution of external tool actions without any warning about review gates or trust boundaries. In an agent framework, MCP tools can expose read/write operations against remote systems, so disabling approval by default can lead to unintended external actions or data access if the model is prompted or misconfigured.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The example shows embedding an Authorization bearer token directly in headers for an external MCP server without guidance on secret handling, least privilege, or the fact that credentials will be transmitted to a third-party endpoint. This encourages insecure copy-paste patterns, increases risk of hardcoded secret leakage, and may cause users to send sensitive credentials to untrusted MCP servers.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The custom HTTP client example sends a GitHub personal access token to an MCP endpoint without explaining token scope, outbound credential transmission, or the need to trust the remote server. In agent tooling, this is risky because broad PATs can grant repository or organizational access, and the example may be copied into production with excessive permissions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The HostedWebSearchTool examples show how to enable Bing-backed web search but do not disclose that user prompts or query content may be transmitted to an external service. In an agent framework skill, developers may copy this pattern into production and unknowingly route sensitive user data, internal prompts, or retrieved context to Bing, creating a privacy and data-governance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal