Back to skill

Security audit

Azure Ai Agents Py - Microsoft Foundry

Security checks across malware telemetry and agentic risk

Overview

This is mostly a coherent Azure SDK guide, but it includes copyable examples that could let agent-provided text run local code if used as written.

Review before installing or following the examples. Do not copy the eval()-based calculator pattern; replace it with a restricted math parser or explicit validated operations. Use least-privilege Azure credentials, avoid sending secrets or regulated data to hosted tools, only connect trusted MCP/OpenAPI/Bing/Azure Function resources, and clean up agents, files, vector stores, and queues after experiments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The example defines a function tool that evaluates arbitrary Python expressions using eval on model-influenced input. In an agent skill context, this can enable code execution if the model passes attacker-controlled expressions, and the file’s purpose is only to demonstrate async SDK patterns, so this unsafe primitive is unnecessary and especially risky as copy-paste sample code.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example uses Python eval() on an expression string while claiming to evaluate math, which can execute arbitrary Python code if the input is attacker-controlled. In an agent/tooling context, this is especially dangerous because model-generated or user-supplied inputs may reach the function and turn a simple calculator example into code execution.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The Bing Grounding example shows a web-connected tool but does not warn that prompts, retrieved context, or other agent data may be sent to an external service. This can lead developers to unknowingly expose sensitive user, system, or enterprise data through search/tool calls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The OpenAPI section demonstrates invoking external REST APIs, including authenticated and managed-identity-backed endpoints, without warning that agent-generated requests and data may leave the agent boundary. This omission can cause accidental data disclosure or unintended actions against privileged APIs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The MCP example connects to a remote server and may forward agent requests, context, and tool arguments externally, but the documentation does not warn about this trust boundary. Developers may therefore connect untrusted MCP servers or expose sensitive context without realizing it.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The Azure Functions example sends tool inputs through storage queues to backend processing without warning that message contents may be persisted, logged, or processed by downstream services. This can expose sensitive data or create unintended side effects if developers assume local-only execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.