attacking-entra-id-with-roadtools

Fail

Audited by Snyk on Jun 23, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt instructs embedding credentials and tokens verbatim in CLI commands and to print/store tokens (e.g., -p 'Password123!', --refresh-token <refresh_token>, --prt , --tokens-stdout), which requires the LLM to handle or output secret values directly and is therefore high-risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). This repository and the included agent wrap ROADrecon/roadtx — an offensive toolkit explicitly designed to enumerate Entra ID tenants, harvest and store directory data, acquire/steal/exchange access/refresh tokens and PRTs, register devices, and pivot tokens across resources — capabilities that directly enable credential theft, token exfiltration, and remote lateral access and therefore present a high risk of malicious abuse if used outside explicit authorization.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 23, 2026, 03:40 AM
Issues
2
Security Audit — snyk — attacking-entra-id-with-roadtools