azure-devops
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it retrieves and processes untrusted content from Azure DevOps, including pull request comments, work item descriptions, wiki pages, and build logs. An attacker could embed malicious instructions in these collaborative fields to influence the agent's behavior. \n
- Ingestion points:
scripts/repos.py(pull request details and threads),scripts/work_items.py(work item fields and comments),scripts/wiki.py(page content), andscripts/pipelines.py(build logs). \n - Boundary markers: No specific delimiters or instructions to ignore embedded commands are used when presenting external data to the agent. \n
- Capability inventory: The skill possesses extensive capabilities, including running pipelines, creating pull requests, managing branch policies, and deleting work items. \n
- Sanitization: Fetched data is processed as raw text without sanitization for potential injection patterns. \n- [EXTERNAL_DOWNLOADS]: The
scripts/attachments.pyscript includes a download command that fetches files from remote URLs. This functionality includes robust hostname validation to ensure downloads are restricted to official Microsoft domains (*.dev.azure.com or *.visualstudio.com), which prevents credential leakage to unauthorized third-party hosts. \n- [COMMAND_EXECUTION]: The skill utilizes dedicated Python scripts to perform Azure DevOps API operations. These scripts use standard libraries for network requests and do not contain any arbitrary command execution, shell injection, or dynamic code evaluation vulnerabilities.
Audit Metadata