Security risk report for @forgecat/microsoft-azure_skills-azure-aigateway v0.0.4
Source Integrity
Low
Profile is sourced from Microsoft's official azure-skills repository (https://github.com/microsoft/azure-skills) with clear attribution and MIT license.
Content is legitimate Azure API Management documentation and configuration guidance; no supply-chain poisoning or typosquatted dependencies detected.
Agent Intent
Low
Profile contains instructional documentation for configuring Azure API Management as an AI Gateway; no hidden directives to manipulate the AI agent, exfiltrate credentials, or bypass security controls.
Content describes legitimate Azure governance patterns (semantic caching, token limits, content safety, RBAC) and best practices; no guidance poisoning or instructions to weaken security defaults.
References to 'jailbreak detection' and 'content safety' are DEFENSIVE mechanisms to protect AI outputs, not instructions to perform attacks.
Details
Evidence
Auth best practices explicitly state: 'Never hardcode credentials, connection strings, or keys' and 'Use managed identity for all Azure-hosted apps'.
Jailbreak detection section describes blocking prompt injection attacks, not performing them: 'Block prompt injection attacks that attempt to bypass AI safety guardrails.'
Content safety policies are configured to filter harmful content, not to generate or exfiltrate it.
Permissions
Low
Profile declares no tools or MCP servers; it is purely instructional markdown documentation for Azure API Management configuration.
Bash commands shown are for Azure CLI operations (az apim, az cognitiveservices, az role assignment) scoped to legitimate gateway setup and diagnostics; no shell execution, file mutation, or excessive agency requested.
Details
Evidence
All code examples are configuration commands (e.g., 'az apim backend create', 'az role assignment create') with explicit resource scoping.
Diagnostic commands (curl, KQL queries) are read-only inspection tools for troubleshooting, not privilege escalation or data exfiltration.
MCP Risk
Low
No MCP servers are defined in the profile; the skill is purely documentation and configuration guidance.
References to MCP tools (e.g., 'convert API to MCP', 'MCP rate limiting') are about protecting and governing external MCP tools via APIM policies, not about installing untrusted MCP servers.
Details
Evidence
Profile metadata shows 'Dependencies: None' and no MCP server definitions in the skill configuration.
MCP references are in the context of API governance: 'Protect MCP tools and API endpoints from excessive requests' via rate limiting policies.