azure-cloud-migrate
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Guided Command Execution: The skill generates comprehensive Bash and PowerShell scripts to automate migration tasks across different cloud providers. These scripts utilize well-known CLI tools (Azure CLI, AWS CLI, Google Cloud SDK, and kubectl) to provision resources and migrate data. While these are powerful capabilities, the skill implements a 'destructive action policy' requiring explicit user confirmation before making non-reversible changes.
- Indirect Prompt Injection Surface: The migration process involves the agent reading and analyzing source code and configuration files from the user's workspace (e.g., SAM templates, Procfiles, and YAML configurations). This ingestion of untrusted data represents an attack surface where malicious instructions embedded in project files could theoretically influence agent behavior, although no such instructions were found in the skill itself.
- Sensitive Data Handling Patterns: The skill facilitates the migration of environment variables and secrets from source platforms to Azure Key Vault. It includes security-enhancing patterns, such as using temporary files with restricted permissions (umask 077) and piping secrets directly between CLI tools to prevent sensitive data from being written to persistent storage or logged in shell history.
- Identity-First Authentication: Throughout the migration guides, there is a consistent emphasis on moving away from hardcoded connection strings and API keys. The skill prioritizes Azure Managed Identities (UAMI) and Entra ID authentication for service-to-service communication, which is a significant security improvement for migrated workloads.
- Network Operations and External Dependencies: The skill identifies and maps external service dependencies. It utilizes standard network operations like Docker image pulls and ACR imports from well-known registries. Health check verification is performed using standard utilities like curl against the newly deployed Azure endpoints.
Audit Metadata