copilot-sdk
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends the installation of several packages from public registries, such as
github-copilot-sdkon PyPI andGitHub.Copilot.SDKon NuGet. These names suggest an official GitHub origin, but they are not established standard libraries, and their provenance cannot be confirmed from the skill content alone. - [COMMAND_EXECUTION]: The instructions guide users to execute commands to initialize projects and run the Copilot CLI in server mode (
copilot --server --port 4321), which the SDK then connects to via local networking. - [PROMPT_INJECTION]: The interactive CLI assistant examples for TypeScript and Python demonstrate a surface for indirect prompt injection by passing raw user input directly to the model session.
- Ingestion points: User input is collected from
stdinviarl.questionandinput()in the 'Interactive CLI Assistant' section ofSKILL.md. - Boundary markers: None; the code examples do not implement delimiters or ignore-instructions markers to isolate user input.
- Capability inventory: The SDK provides capabilities for defining custom tools with executable handlers and connecting to MCP servers with potential repository access.
- Sanitization: No sanitization or validation of the user-provided input is performed before it is sent to the model.
Audit Metadata