From 09d987959ba4a6d3cd6f64465325327adb7f82ad Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 9 Jul 2026 21:44:11 +0000
Subject: [PATCH] chore: publish from main
---
docs/README.skills.md | 2 +-
.../SKILL.md | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
rename skills/{mcp-security-baseline => mcp-implementation-security-review}/SKILL.md (98%)
diff --git a/docs/README.skills.md b/docs/README.skills.md
index 7ec23e88..2d8d0412 100644
--- a/docs/README.skills.md
+++ b/docs/README.skills.md
@@ -238,8 +238,8 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
| [mcp-create-adaptive-cards](../skills/mcp-create-adaptive-cards/SKILL.md)
`gh skills install github/awesome-copilot mcp-create-adaptive-cards` | Skill converted from mcp-create-adaptive-cards.prompt.md | None |
| [mcp-create-declarative-agent](../skills/mcp-create-declarative-agent/SKILL.md)
`gh skills install github/awesome-copilot mcp-create-declarative-agent` | Skill converted from mcp-create-declarative-agent.prompt.md | None |
| [mcp-deploy-manage-agents](../skills/mcp-deploy-manage-agents/SKILL.md)
`gh skills install github/awesome-copilot mcp-deploy-manage-agents` | Skill converted from mcp-deploy-manage-agents.prompt.md | None |
+| [mcp-implementation-security-review](../skills/mcp-implementation-security-review/SKILL.md)
`gh skills install github/awesome-copilot mcp-implementation-security-review` | Review the implementation source code of MCP (Model Context Protocol) servers, clients, and tool handlers against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when:
- Reviewing an MCP server implementation for security before release
- Checking a server against the baseline controls (MCP-01 to MCP-05) and the OWASP MCP Top 10
- Auditing tools for RCE vectors (command/code injection, unsafe deserialization, path traversal, SSTI, dependency hijacking, SSRF)
- Verifying auth, session, rate-limiting, and input-validation controls on a network-exposed server
- Reviewing MCP client code that handles untrusted server responses and session IDs
- Requests like "review this MCP server for security" or "is my MCP server implementation secure?" | None |
| [mcp-security-audit](../skills/mcp-security-audit/SKILL.md)
`gh skills install github/awesome-copilot mcp-security-audit` | Audit MCP (Model Context Protocol) server configurations for security issues. Use this skill when:
- Reviewing .mcp.json files for security risks
- Checking MCP server args for hardcoded secrets or shell injection patterns
- Validating that MCP servers use pinned versions (not @latest)
- Detecting unpinned dependencies in MCP server configurations
- Auditing which MCP servers a project registers and whether they're on an approved list
- Checking for environment variable usage vs. hardcoded credentials in MCP configs
- Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json"
keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance] | None |
-| [mcp-security-baseline](../skills/mcp-security-baseline/SKILL.md)
`gh skills install github/awesome-copilot mcp-security-baseline` | Review MCP (Model Context Protocol) server and client source code against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when:
- Reviewing an MCP server implementation for security before release
- Checking a server against the baseline controls (MCP-01 to MCP-05) and the OWASP MCP Top 10
- Auditing tools for RCE vectors (command/code injection, unsafe deserialization, path traversal, SSTI, dependency hijacking, SSRF)
- Verifying auth, session, rate-limiting, and input-validation controls on a network-exposed server
- Reviewing MCP client code that handles untrusted server responses and session IDs
- Requests like "review this MCP server for security" or "is my MCP server implementation secure?" | None |
| [md-to-docx](../skills/md-to-docx/SKILL.md)
`gh skills install github/awesome-copilot md-to-docx` | Convert Markdown files to professionally formatted Word (.docx) documents with embedded PNG images — pure JavaScript, no external tools required | `scripts/md-to-docx.mjs`
`scripts/package.json` |
| [meeting-minutes](../skills/meeting-minutes/SKILL.md)
`gh skills install github/awesome-copilot meeting-minutes` | Generate concise, actionable meeting minutes for internal meetings. Includes metadata, attendees, agenda, decisions, action items (owner + due date), and follow-up steps. | None |
| [memory-merger](../skills/memory-merger/SKILL.md)
`gh skills install github/awesome-copilot memory-merger` | Merges mature lessons from a domain memory file into its instruction file. Syntax: `/memory-merger >domain [scope]` where scope is `global` (default), `user`, `workspace`, or `ws`. | None |
diff --git a/skills/mcp-security-baseline/SKILL.md b/skills/mcp-implementation-security-review/SKILL.md
similarity index 98%
rename from skills/mcp-security-baseline/SKILL.md
rename to skills/mcp-implementation-security-review/SKILL.md
index 1c355748..5bf9d01b 100644
--- a/skills/mcp-security-baseline/SKILL.md
+++ b/skills/mcp-implementation-security-review/SKILL.md
@@ -1,7 +1,7 @@
---
-name: mcp-security-baseline
+name: mcp-implementation-security-review
description: |
- Review MCP (Model Context Protocol) server and client source code against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when:
+ Review the implementation source code of MCP (Model Context Protocol) servers, clients, and tool handlers against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when:
- Reviewing an MCP server implementation for security before release
- Checking a server against the baseline controls (MCP-01 to MCP-05) and the OWASP MCP Top 10
- Auditing tools for RCE vectors (command/code injection, unsafe deserialization, path traversal, SSTI, dependency hijacking, SSRF)
@@ -10,7 +10,7 @@ description: |
- Requests like "review this MCP server for security" or "is my MCP server implementation secure?"
---
-# MCP Security Baseline Review
+# MCP Implementation Security Review
## Process