Microsoft Copilot Studio
Static analysis for Microsoft Copilot Studio (formerly Power Virtual Agents) bot exports to detect governance gaps, unsafe actions, and missing human oversight.
Quick Start
# Export bot from Copilot Studio, then scan
inkog scan ./bot-export --framework copilot-studioWhat Inkog Detects
| Finding | Severity | Description |
|---|---|---|
| Missing Human Oversight | CRITICAL | High-risk actions without approval gates |
| Power Automate Risk | HIGH | Flows with dangerous operations (HTTP, Execute) |
| Authentication Bypass | CRITICAL | Topics accessible without auth |
| Unbounded Loops | CRITICAL | Conversation loops without exit conditions |
| Credential Exposure | CRITICAL | API keys in action configurations |
Bot Export Format
Copilot Studio exports include:
topic.yaml- Conversation topics with trigger phrases and actionsbot_component.json- Bot configuration and settingsPvaManifest.xml- Manifest with capabilities declaration
Inkog parses all formats to build a complete security picture.
Missing Human Oversight
Topics that perform sensitive operations should require human approval.
Vulnerable
Direct delete without confirmation
name: Delete Customer Record
trigger:
phrases:
- "delete customer"
- "remove account"
actions:
- kind: PowerAutomateFlow
flowId: "delete-customer-flow"
inputs:
customerId: "{Topic.CustomerId}"Secure
Human handoff + confirmation required
name: Delete Customer Record
trigger:
phrases:
- "delete customer"
- "remove account"
actions:
- kind: HandoffToAgent
message: "Connecting you to a support agent for account deletion"
- kind: ConfirmAction
prompt: "Are you sure you want to delete this account? Type 'CONFIRM' to proceed."
- kind: PowerAutomateFlow
flowId: "delete-customer-flow"
inputs:
customerId: "{Topic.CustomerId}"
requiresApproval: truePower Automate Integration Risks
Power Automate flows can execute dangerous operations.
Vulnerable
User input to HTTP URL - SSRF risk
actions:
- kind: PowerAutomateFlow
flowId: "execute-command-flow"
inputs:
command: "{Topic.UserInput}"
- kind: HttpRequest
url: "{Topic.Url}"
method: POSTSecure
Fixed URL with service account auth
actions:
- kind: PowerAutomateFlow
flowId: "safe-lookup-flow"
inputs:
query: "{Topic.UserInput}"
allowedOperations:
- "dataverse-read"
- "sharepoint-read"
- kind: HttpRequest
url: "https://api.internal.company.com/lookup"
method: GET
headers:
Authorization: "{System.ServiceAccountToken}"Authentication Bypass
Topics should require appropriate authentication levels.
Vulnerable
No auth - anyone can query accounts
name: Account Balance
trigger:
phrases:
- "check balance"
- "show my account"
authenticationRequired: false
actions:
- kind: DataverseQuery
entity: accounts
filter: "email eq '{Topic.Email}'"Secure
Entra auth + user-scoped queries
name: Account Balance
trigger:
phrases:
- "check balance"
- "show my account"
authenticationRequired: true
authenticationLevel: Entra
actions:
- kind: DataverseQuery
entity: accounts
filter: "ownerId eq '{System.User.Id}'"Unbounded Conversation Loops
Topics that loop back to themselves can run indefinitely.
Vulnerable
Loop without iteration limit
name: Process Items
nodes:
- id: start
kind: Trigger
next: process
- id: process
kind: Action
next: check
- id: check
kind: Condition
trueNext: process
falseNext: end
- id: end
kind: EndConversationSecure
Explicit iteration counter and limit
name: Process Items
nodes:
- id: start
kind: Trigger
next: process
- id: process
kind: Action
next: checkLimit
- id: checkLimit
kind: Condition
expression: "Topic.IterationCount < 10"
trueNext: increment
falseNext: limit_reached
- id: increment
kind: SetVariable
variable: Topic.IterationCount
value: "=Topic.IterationCount + 1"
next: check
- id: check
kind: Condition
next: end
- id: limit_reached
kind: Message
text: "Maximum iterations reached. Please contact support."
next: end
- id: end
kind: EndConversationHow to Export Bots
To scan Copilot Studio bots, export them:
-
From Power Platform Admin Center:
- Solutions → Export → Unmanaged
- Extract the .zip file
-
Via Power Platform CLI:
pac solution export --name YourBotSolution --path ./export- Then scan:
inkog scan ./export --framework copilot-studioBest Practices
- Require authentication for all topics accessing user data
- Use human handoff for high-risk operations (delete, transfer, payment)
- Limit Power Automate flows to read-only operations where possible
- Set iteration limits on any looping conversation patterns
- Use Dataverse security - never query by user-provided email/ID
- Review before deployment - scan in CI/CD pipeline
CLI Examples
# Scan exported bot
inkog scan ./bot-export --framework copilot-studio
# Check for authentication issues
inkog scan ./export -severity critical
# JSON output for CI
inkog scan ./export -output json -output-file results.jsonCompliance Mapping
Copilot Studio findings map to:
| Finding | EU AI Act | NIST AI RMF |
|---|---|---|
| Missing Human Oversight | Article 14.1 | MAP 1.3 |
| Authentication Bypass | Article 15 | MEASURE 2.2 |
| Unbounded Loops | Article 12 | MEASURE 2.4 |
Related
- n8n - Similar workflow automation
- Salesforce Agentforce - Enterprise chatbots
- Missing Human Oversight
Last updated on