Back to skill

Security audit

Agent Framework Azure Ai Py

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for building Azure AI Foundry agents; its cloud, web search, MCP, file, and thread examples are powerful but aligned with the stated purpose.

Install this skill only if you are building Azure AI Foundry agents. Before copying examples into real projects, pin package versions, use least-privilege Azure and MCP credentials, avoid hardcoded tokens, require approval for sensitive or mutating MCP actions, and do not upload private files or send sensitive prompts to Azure, Bing, or third-party services without appropriate review and consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill prominently encourages use of hosted web search, code execution, MCP integrations, and persistent threads, but does not warn that prompts, files, search queries, and conversation history may be transmitted to external Azure and search-backed services. In a skill designed for agent builders, this omission can cause downstream users to unknowingly route sensitive data into third-party hosted systems and retain it across sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The environment and usage examples show configuration of Azure project endpoints, model deployments, Bing-backed web search, and hosted tool execution without warning that these integrations may send prompts, tool inputs, outputs, and metadata to external services. Because the examples are ready to copy-paste, users may deploy them without realizing the privacy, retention, and compliance implications of these outbound data flows.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The file upload example transmits a local file to a remote Azure agents service but does not clearly warn users that local contents leave the host boundary. In an agent skill, this can lead to accidental exposure of sensitive local data if users copy the pattern without understanding the remote upload behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example sets approval_mode="never_require" for an MCP tool, enabling automatic execution of remote MCP actions without any accompanying warning about trust boundaries or the possibility of destructive server-side operations. In an agent framework reference, this can normalize unsafe defaults and lead developers to permit autonomous calls to third-party or internal MCP servers that may perform sensitive reads or modifications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The authentication example embeds a bearer token directly in sample headers and provides no warning about secret handling, which encourages copy-paste practices that can result in hardcoded credentials in source control, logs, or documentation. Because this skill is about integrating remote MCP servers, exposed tokens could grant access to private APIs or internal data sources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The custom HTTP client example sends an authentication token in headers but omits warnings about secure sourcing, token scope, and accidental leakage through debugging or reuse of the client object. In this context, developers are being shown how to connect agents to authenticated external systems, so insecure credential patterns can directly expose privileged access.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The example persists conversation identifiers to disk in a local JSON file without noting that these IDs may enable conversation resumption or expose metadata about ongoing agent sessions. While not a direct secret leak by itself, storing thread identifiers without access controls, lifecycle guidance, or sensitivity warnings can lead developers to treat them as harmless and retain them insecurely, increasing the risk of unauthorized conversation access or correlation.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The web search examples show how to enable HostedWebSearchTool but do not warn that user prompts and query content may be transmitted to an external search provider. This can lead developers to unknowingly route sensitive user data, secrets, or internal context to a third party, creating a privacy and compliance risk even if no direct code exploit is present.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.