Back to skill

Security audit

Azure Keyvault Py

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Azure Key Vault Python SDK reference skill, but users should handle the secret, certificate, delete, and purge examples carefully.

Install only if you intend to work with Azure Key Vault from Python. Use least-privilege credentials, do not print or log secret values or certificate private keys, test destructive operations outside production first, and require human confirmation before deleting or purging vault contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes a permanent deletion operation for secrets (`purge_deleted_secret`) without clearly warning that this is irreversible. In a credential-management skill, that omission can lead users to accidentally destroy production secrets and lose recovery options, causing outages or data-access failures.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example prints a retrieved secret value directly to output (`print(f"Value: {secret.value}")`) without any privacy warning. In practice, developers often copy examples verbatim, so this can leak credentials into logs, terminals, CI output, or monitoring systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows how to retrieve certificate private-key material via the secret interface and notes that the value contains PEM or PKCS12, but does not warn that this is highly sensitive. In a Key Vault skill, exposing exportable private keys without handling guidance materially increases the risk of key exfiltration, impersonation, and TLS/code-signing compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.