Azure Validate

Name: github-copilot-for-azure/azure-validate
Author: microsoft

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

70High

This skill executes arbitrary commands from external files, manipulates

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Azure Validate: > **AUTHORITATIVE GUIDANCE** — Follow these instructions exactly unless they contradict security policies given to you.

Actually does

This skill reads a deployment plan from `.azure/deployment-plan.md`, executes various validation commands like `azd provision --preview`, `bicep build`, and `terraform validate` based on recipes. It also performs a project build verification and reviews Bicep/Terraform for RBAC, recording all proof in the deployment plan before setting its status to `Validated` and instructing to invoke `azure-deploy`.

Threat Analysis

AI Agent Traps ↗Scanned 5/4/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoning3 findings

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction2 findings

SystemicMulti-Agent Dynamics3 findings

Human-in-the-LoopHuman Overseer2 findings

Skill Info

Namemicrosoft/github-copilot-for-azure/azure-validate

Registrygithub

Version771a66600a0c

PURLpkg:github/microsoft/github-copilot-for-azure@771a66600a0c?skill=azure-validate

Stars202

Installs154,000

Source

Repository ↗SKILL.md ↗

SHA-256b02b76f66372...

SHA-1155551d9bc6d...

MD58c95b0eccf75...

TLSH5081438aaa79...

Size3,845 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/microsoft/GitHub-Copilot-for-Azure

154,000 installs

Skills.shDocs

npx skills add https://github.com/microsoft/github-copilot-for-azure

Assessments (6)

AI Agent Traps ↗

Command Execution from External Recipehighcommand execution

The skill explicitly executes commands sourced from `recipes/README.md` and performs project builds. This capability allows for arbitrary command execution if the recipe file is malicious or manipulated, posing a supply chain risk.

100% confidenceline 45

Execute recipe-specific validation commands | [recipes/README.md], Build the project | See recipe, Run actual validation commands (azd provision --preview, bicep build, terraform validate, etc.)

Inter-Skill Invocation (Sub-Agent Spawning)lowsub agent spawning

The skill explicitly invokes another skill, `azure-deploy`, as a mandatory next step. This demonstrates the capability for one agent to spawn or delegate tasks to another skill.

100% confidenceline 58

Invoke azure-deploy skill, you MUST invoke azure-deploy to execute the deployment.

Forced Autonomous Skill Chaining Without User Confirmationhighautonomy abuse

The skill mandates that the agent automatically invoke 'azure-deploy' after validation completes, explicitly prohibiting the agent from running deployment commands directly and requiring delegation to a separate skill. This creates an enforced multi-agent/skill pipeline (azure-prepare → azure-validate → azure-deploy) where each step autonomously triggers the next without requiring explicit user approval at each transition. This pattern suppresses user confirmation opportunities at the critical deployment step.

75% confidenceline 65

> After ALL validations pass, you **MUST** invoke **azure-deploy** to execute the deployment. Do NOT attempt to run `azd up`, `azd deploy`, or any deployment commands directly. Let azure-deploy handle execution.

Sub-Agent Spawning via Mandatory Skill Invocationmediumsub agent spawning

Step 9 in the workflow table instructs the agent to invoke 'azure-deploy' skill autonomously as the final step, creating a chained sub-agent invocation pattern. Combined with the mandatory blocking at the start requiring 'azure-prepare' to have run, this constructs a fully automated pipeline that routes through attacker-controllable skill references.

65% confidenceline 51

| 9 | **Deploy** — Invoke **azure-deploy** skill | — |

Prerequisite Gate Enforcing External Skill Dependencylowautonomy abuse

The skill enforces a hard stop requiring a file artifact from 'azure-prepare' to exist before proceeding, and instructs the agent to automatically invoke 'azure-prepare' if it is missing. This creates unbounded workflow redirection where the agent is autonomously bounced between skills based on file-system state, reducing opportunity for human oversight.

60% confidenceline 20

If the plan is missing, **STOP IMMEDIATELY** and invoke **azure-prepare** first.

Semantic Manipulation via Authoritative Directivesmediumoversight evasion

The skill uses strong, authoritative language ('AUTHORITATIVE GUIDANCE', 'MUST', 'DO NOT SKIP') to influence the agent's reasoning and ensure strict adherence to the workflow, potentially overriding other considerations or security policies.

100% confidenceline 63

AUTHORITATIVE GUIDANCE — Follow these instructions exactly unless they contradict security policies given to you., You MUST follow these steps, MANDATORY NEXT STEP — DO NOT SKIP

Authoritative Override Framing in Skill Headermediumoversight evasion

The skill opens with a bold 'AUTHORITATIVE GUIDANCE' directive instructing the agent to follow these instructions exactly unless they contradict security policies. This framing is designed to elevate the skill's instructions above normal agent reasoning and reduce scrutiny of subsequent directives.

70% confidenceline 12

> **AUTHORITATIVE GUIDANCE** — Follow these instructions exactly unless they contradict security policies given to you.

Validation Authority Claim Elevates Skill Trust Levellowoversight evasion

The 'VALIDATION AUTHORITY' block declares itself the 'officially verified' mechanism for setting plan status, using authoritative institutional language to reduce agent skepticism and discourage deviation from the prescribed steps, potentially masking malicious instructions embedded in referenced recipe files.

55% confidenceline 55

> **⛔ VALIDATION AUTHORITY**
>
> This skill is the officially verified way to set plan status to `Validated`.

Knowledge Base Modification from External Sourcemediumrag poisoning

The skill modifies the `.azure/deployment-plan.md` file by adding validation steps and recording proof, with content potentially sourced from `recipes/README.md`. A malicious recipe could poison the agent's knowledge base or RAG.

100% confidenceline 40

Add Validation Steps — Copy recipe 'Validation Steps' to .azure/deployment-plan.md, Record Proof — Populate Section 7: Validation Proof

Destructive Actions Require User Confirmationinfoapproval fatigue

The skill explicitly states that destructive actions require user confirmation (`ask_user`). While this is a safeguard, it indicates the skill has the capability to perform destructive operations.

100% confidenceline 32

⛔ Destructive actions require ask_user

MANDATORY NEXT STEP Pattern Suppresses Human Reviewmediumapproval fatigue

The skill uses emphatic 'MANDATORY', 'DO NOT SKIP', and 'MUST' language to push the agent directly into deployment after validation, discouraging it from pausing for user confirmation before executing a potentially destructive cloud deployment operation.

72% confidenceline 65

> **⚠️ MANDATORY NEXT STEP — DO NOT SKIP**
>
> After ALL validations pass, you **MUST** invoke **azure-deploy** to execute the deployment.

External Reference Files Not Validated (Supply Chain Risk)mediumprompt injection

The skill instructs the agent to load and execute content from multiple external reference files (references/recipes/README.md, references/role-verification.md, errors.md, .azure/deployment-plan.md). These files are read at runtime and their content is used to drive agent actions, creating an indirect prompt injection surface where attacker-controlled file content could redirect agent behavior.

70% confidenceline 40

| 2 | **Add Validation Steps** — Copy recipe "Validation Steps" to `.azure/deployment-plan.md` ... | [recipes/README.md](references/recipes/README.md) |
| 3 | **Run Validation** — Execute recipe-specific validation commands | [recipes/README.md](references/recipes/README.md) |

Version History (2)

771a66600a0ccurrent70High5/4/2026 4081320c2592100Critical4/15/2026

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/microsoft/github-copilot-for-azure/azure-validate.svg)](https://mondoo.com/ai-agent-security/skills/github/microsoft/github-copilot-for-azure/azure-validate)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/microsoft/github-copilot-for-azure/azure-validate"><img src="https://mondoo.com/ai-agent-security/api/badge/github/microsoft/github-copilot-for-azure/azure-validate.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/microsoft/github-copilot-for-azure/azure-validate.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow