microsoft-agent-framework
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: A high-severity static analysis signal was identified in
references/official-docs/integrations/ag-ui/security-considerations.md. This is a false positive; the file is a security tutorial that includes examples of common attack patterns (e.g., 'Ignore previous instructions') to teach developers how to defend against them. - [DATA_EXPOSURE]: The documentation references the use of environment variables and configuration files for API keys (e.g.,
AZURE_OPENAI_API_KEY). The skill follows industry standard best practices by recommending the use ofDefaultAzureCredential,ManagedIdentityCredential, and local secret managers (user-secrets) rather than hardcoding credentials. - [REMOTE_CODE_EXECUTION]: The framework supports a 'Code Interpreter' tool and 'Model Context Protocol (MCP)' for executing external logic. These are core features of the framework. The documentation includes explicit warnings regarding the risks of connecting to third-party MCP servers and recommends auditing all data exchanged with external services.
- [EXTERNAL_DOWNLOADS]: All referenced dependencies and packages (e.g.,
Microsoft.Agents.*,Azure.AI.OpenAI,anthropic,semantic-kernel) originate from established organizations and official package registries. These are documented neutrally as required components for using the framework. - [INDIRECT_PROMPT_INJECTION]: As a development framework for AI agents, the skill describes a system architecture that is naturally susceptible to indirect prompt injection through data ingestion.
- Ingestion points: Data enters the system via user messages and external tool outputs (A2A, web search, MCP) as described in
user-guide/agents/running-agents.md. - Boundary markers: The documentation provides guidance on using delimiters and isolating system instructions.
- Capability inventory: The framework supports high-risk capabilities including Python code execution via the hosted code interpreter and file access via MCP, documented in
user-guide/agents/agent-tools.md. - Sanitization: The skill promotes the use of middleware for security validation and integration with Microsoft Purview for data governance and policy enforcement.
Audit Metadata