Prerequisites for Granting Roles

Name: github-copilot-for-azure/azure-rbac
Author: microsoft

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

40Medium

The skill generates Azure CLI and Bicep for role assignment, risking privilege escalation if

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Prerequisites for Granting Roles: To assign RBAC roles to identities, you need a role that includes the `Microsoft.Authorization/roleAssignments/write` permission. The most common roles with this permission are:

Actually does

The skill uses the `azure__documentation` tool to find Azure RBAC role definitions, `azure__extension_cli_generate` to create custom roles and generate Azure CLI commands for role assignment, and `azure__bicepschema` and `azure__get_azure_bestpractices` to generate Bicep code snippets for role assignments. It also provides static guidance on the permissions required to grant roles.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction2 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namemicrosoft/github-copilot-for-azure/azure-rbac

Registrygithub

Version4081320c2592

PURLpkg:github/microsoft/github-copilot-for-azure@4081320c2592?skill=azure-rbac

Stars202

Installs154,000

Source

Repository ↗SKILL.md ↗

SHA-25608974b8cc5c3...

SHA-109caf1cb7b06...

MD5f4667699e263...

TLSHe331de27d9ee...

Size1,686 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/microsoft/github-copilot-for-azure/tree/main/skills/azure-rbac

154,000 installs

Skills.shDocs

npx skills add https://github.com/microsoft/github-copilot-for-azure

Assessments (1)

AI Agent Traps ↗

Generates Azure CLI commands for RBACmediumcommand execution

The skill generates Azure CLI commands for role assignment, a powerful capability that can alter access control and potentially lead to privilege escalation if the generated commands are executed without proper validation or if the agent is compromised.

90% confidenceline 10

generate CLI commands needed to assign that role to the identity.

Generates Bicep code for RBACmediumresource modification

The skill generates Bicep code snippets for role assignment, enabling declarative modification of Azure resources and access controls, which could be abused if deployed without sufficient review.

90% confidenceline 9

provide a Bicep code snippet for adding the role assignment.

Version History (2)

771a66600a0c0None5/4/2026 4081320c2592current40Medium4/15/2026

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/microsoft/github-copilot-for-azure/azure-rbac.svg)](https://mondoo.com/ai-agent-security/skills/github/microsoft/github-copilot-for-azure/azure-rbac)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/microsoft/github-copilot-for-azure/azure-rbac"><img src="https://mondoo.com/ai-agent-security/api/badge/github/microsoft/github-copilot-for-azure/azure-rbac.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/microsoft/github-copilot-for-azure/azure-rbac.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow