ClawHub

Azure Ai Agents Py - Microsoft Foundry

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent Azure AI Agents SDK guide, but it includes copyable agent-tool examples that use unsafe Python eval() and could execute arbitrary local code if followed directly.

Review before installing or following the examples. Do not copy the eval()-based calculator tool into real agent code; replace it with a restricted math parser or explicit validated operations. Use least-privilege Azure credentials, avoid uploading secrets or regulated data, and clean up agents, files, and vector stores after experiments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The example function uses Python's eval() on an expression string that can be influenced by agent or user input, enabling arbitrary code execution in the host process rather than just mathematical evaluation. In an AI agents SDK reference, readers may copy this pattern into production tool functions, making the documentation context especially risky because it normalizes a dangerous primitive for agent-triggered execution.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example function advertises safe math evaluation but implements it with Python's unrestricted eval(), which can execute arbitrary Python code if model-generated or user-provided input reaches it. In an agent/tool-calling context, this is especially risky because the model may autonomously invoke the function with attacker-influenced arguments, leading to code execution in the host environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples create Azure-hosted agents, send prompts/messages to remote services, and may process user-provided content, but the documentation does not clearly warn that data is transmitted off-host to Azure-managed infrastructure. In a skill intended to be copied by users, this omission can lead to unintended disclosure of sensitive prompts, conversation data, or project metadata when users assume examples are purely local.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file upload and vector store examples instruct users to upload local files and index them in Azure-managed storage/search resources without warning that file contents leave the local machine. This is risky because users may upload confidential documents, credentials, or regulated data under the assumption that the example is a harmless local preprocessing step.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal