broker-build-deploy-fix-loop
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
probe_broker_auth.pyinvokes the Azure CLI (az) viasubprocess.runwithshell=Trueon Windows to download secrets from Key Vault. Additionally, the skill usesCronCreateto establish a recurring task that persists across sessions for up to seven days, which is used to drive the autonomous loop.\n- [CREDENTIALS_UNSAFE]: The skill automates the retrieval and handling of sensitive credentials, including Azure AD access tokens and PFX certificates. Certificates are downloaded to temporary files on the local filesystem, creating a risk of credential exposure if the skill's cleanup logic is interrupted or if the filesystem is shared.\n- [PROMPT_INJECTION]: The skill's primary 'fix' loop relies on reading and interpreting build and application logs from external Azure services. This creates a significant surface for indirect prompt injection where malicious content embedded in logs could influence the agent to perform unauthorized code changes or deployments.\n - Ingestion points: Build timeline logs from Azure DevOps and App Service container logs.\n
- Boundary markers: No explicit delimiters or instructions to ignore malicious content within logs are provided in the prompt templates.\n
- Capability inventory: The agent has the authority to perform
git commit,git push, and trigger pipeline runs based on its analysis of external data.\n - Sanitization: No sanitization or validation of the external log content is performed before processing.\n- [REMOTE_CODE_EXECUTION]: The script
broker_auth_matrix.pyperforms dynamic code loading by importingprobe_broker_auth.pyat runtime usingimportlib.util.spec_from_file_locationwith a path computed from the user's home directory.
Audit Metadata