hunting-saas-sso-token-abuse
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill contains KQL queries and CLI examples (az CLI, curl) for interacting with Azure and Okta services. These are legitimate tools for the stated purpose of threat hunting and session revocation.
- [EXTERNAL_DOWNLOADS]: References official documentation and community repositories from well-known and trusted sources, including Microsoft, Okta, MITRE, Mandiant, and NIST. All external links are relevant and safe.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The provided Python script interacts with the official Okta API using environment variables for authentication. It does not contain hardcoded credentials or evidence of data exfiltration to unauthorized third-party domains.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests external log data into the agent's context for analysis. This creates a surface for indirect prompt injection if logs contain malicious instructions; however, this is an inherent aspect of log analysis tools and no suspicious exploitation patterns are present.
Audit Metadata