AI agents should not have hard-coded credentials in topics
Descriptionโ
Scans all Copilot Studio agent topics for patterns that suggest hard-coded credentials, API keys, connection strings, or secrets. Hard-coded credentials in agent topics can be extracted by prompt injection attacks and often persist after key rotation is performed elsewhere.
How to fixโ
Replace all hard-coded credentials with secure alternatives. Use Power Platform environment variables for configuration values and Azure Key Vault for secrets. Configure custom connectors with proper OAuth or API key authentication that stores credentials outside the agent topic definition.
Learn more: Use environment variables in Power Platform
Prerequisitesโ
This test evaluates Copilot Studio agent configurations via the Dataverse API.
Connect-Maester -Service Graph,Dataverse