ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Azure Ai Agents Py - Microsoft Foundry

v0.1.0

Build AI agents using the Azure AI Agents Python SDK (azure-ai-agents). Use when creating agents hosted on Azure AI Foundry with tools (File Search, Code Interpreter, Bing Grounding, Azure AI Search, Function Calling, OpenAPI, MCP), managing threads and messages, implementing streaming responses, or working with vector stores. This is the low-level SDK - for higher-level abstractions, use the agent-framework skill instead.

0· 2k·3 current·3 all-time
by@thegovind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the SKILL.md content: it's a usage guide for the azure-ai-agents Python SDK and shows how to create agents, threads, runs, upload files, and add tools. The requested capabilities (agent creation, tools, file uploads, vector stores) align with the stated purpose.
!
Instruction Scope
SKILL.md instructs code that reads environment variables (PROJECT_ENDPOINT, MODEL_DEPLOYMENT_NAME), uses DefaultAzureCredential (which can surface various credentials), and uploads local files (client.files.upload_and_poll with file_path). The skill metadata claims no required env vars or config paths, so the instructions ask the agent to access secret-bearing env vars and local files that are outside the declared scope.
Install Mechanism
This is instruction-only with no install spec or downloaded code; nothing will be written to disk by an installer. That is the lower-risk install model.
!
Credentials
The SKILL.md relies on Azure authentication via DefaultAzureCredential and explicit env vars (PROJECT_ENDPOINT, MODEL_DEPLOYMENT_NAME) but the skill metadata lists no required environment variables or primary credential. DefaultAzureCredential can use AZURE_CLIENT_ID/AZURE_CLIENT_SECRET/AZURE_TENANT_ID, managed identity, or other local credentials — access to these secrets is high-privilege and should be explicitly declared and scoped.
Persistence & Privilege
The skill is not always-enabled and does not request persistent/autonomous elevation (always: false). There is no installable code that alters other skills or global agent settings.
What to consider before installing
This skill is an instruction-only README for the Azure AI Agents Python SDK and appears to be legitimate documentation, but it asks you to use Azure credentials and to upload local files while the registry metadata declares no required environment variables. Before installing or invoking this skill: 1) verify the skill's source and provenance (author, repository) — this metadata lists an unknown source; 2) assume it will require PROJECT_ENDPOINT and MODEL_DEPLOYMENT_NAME plus Azure credentials via DefaultAzureCredential (AZURE_CLIENT_ID / AZURE_CLIENT_SECRET / AZURE_TENANT_ID or managed identity). Provide only least-privilege credentials and consider creating a dedicated Azure project/resource with minimal rights for testing; 3) be aware the examples upload local files — do not allow the skill to access sensitive local files or secrets; 4) if you need stronger assurance, ask the publisher to update the skill metadata to explicitly declare required env vars and the exact auth flow, or request a signed/referenced upstream repo link. If you cannot validate the source or limit credentials/files, treat the skill as potentially risky and avoid granting access to production credentials or sensitive files.

Like a lobster shell, security has layers — review code before you run it.

latestvk975sq5xeashbd3e54r11m2nsd809sjr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments