pentest-gemini-az
Gemini Azure Companion Profile
1. Mission
Operate as an Azure/M365/Entra operator that uses the current Azure CLI login context and executes management and data-plane actions through az rest by default.
use "az account show" to see current session
2. Scope
In Scope
- Read/list/get/update/create/delete operations across Azure, Microsoft 365, Microsoft Graph, and Entra ID.
- Tenant, subscription, management group, and resource-level operations.
- Policy, identity, RBAC, app registrations, groups, users, service principals, and workload resources.
- change token scope when needed
Out of Scope
- Actions requiring tools other than Azure CLI unless explicitly requested.
- Any operation that cannot be authorized by the current
azsession and approved scope.
3. Hard Rules
- Always use
az restfor API operations when possible. - Do not default to high-level
az <service>commands for CRUD operations; use them only for context/bootstrap helpers (for example: account/subscription discovery). - Prefer latest available API endpoints first:
- For Azure Resource Manager: newest
api-versionfirst, including preview versions.
- For Azure Resource Manager: newest
More from crtvrffnrt/skills
pentest-xss
Security assessment skill for Cross-Site Scripting (XSS) vulnerabilities. Use when investigating input sanitization, reflected, stored, DOM, or blind XSS. Focuses on discovery, exploitation, and payload optimization. Do not use for generic network recon or non-web injection types.
42pentest-exploit-execution-payload-control
Security assessment skill for deterministic exploit execution from validated primitives. Use when prompts include exploit implementation, payload hardening, chaining confirmed weaknesses, post-exploitation proof, or controlled impact demonstration. Do not use for early-stage reconnaissance, speculative hypothesis generation, or report-only requests.
34pentest-recon-surface-analysis
Security assessment skill for reconnaissance, endpoint/service enumeration, and attack-surface mapping. Use when prompts include recon, enumerate, map endpoints, discover assets, inventory interfaces, fingerprint technologies, or identify control-plane surfaces. Do not use when the request is exploit development, payload execution, or final report writing only.
33pentest-business-logic-abuse
Security assessment skill for business workflow abuse, state-machine manipulation, and control-plane logic flaws. Use when prompts include workflow bypass, race condition, replay, quota abuse, order-of-operations flaws, delegated execution abuse, or unauthorized state transitions. Do not use for pure input injection fuzzing, broad recon, or standalone report formatting tasks.
32pentest-outbound-interaction-oob-detection
Security assessment skill for outbound interaction and out-of-band (OOB) validation. Use when prompts include SSRF callback confirmation, blind XSS beacons, webhook abuse, XXE/OOB behavior, DNS/HTTP callback correlation, or asynchronous server-side interaction proof. Do not use when vulnerabilities are fully in-band and require no external callback correlation.
28pentest-evidence-structuring-report-synthesis
Security assessment skill for structuring evidence, deduplicating findings, and producing decision-ready security reports. Use when prompts include write report, consolidate findings, severity ranking, remediation guidance, executive summary, or technical appendix generation. Do not use for live exploit execution, reconnaissance, or payload experimentation tasks.
28