mirror of
https://github.com/github/awesome-copilot.git
synced 2026-07-14 01:51:02 +00:00
Add mcp-security-baseline skill (#2212)
* Add mcp-security-baseline skill An Agent Skill that reviews MCP server and client source code against a security baseline (5 controls, 7 RCE vectors, OWASP MCP Top 10) and produces a compliance report with file/line evidence. Complements mcp-security-audit, which checks .mcp.json configuration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review feedback: remove ignored keywords field, link MCP spec - Remove the top-level `keywords` field: it is not a recognized skill front-matter field and is ignored (skills are indexed for search by name + description only). The keyword terms are already present in the description, so discovery is unaffected. - Link the MCP 2025-03-26 specification at the protocol-version check so the agent has it for quick reference. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review feedback: fix unsafe-deserialization example, link current MCP spec - Change the unsafe-deserialization example from `yaml.load(..., Loader=yaml.FullLoader)` to `Loader=yaml.UnsafeLoader` to reflect genuinely unsafe usage. - Add a link to the current MCP spec revision (2025-11-25) alongside the 2025-03-26 baseline on the protocol-version check. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Swetha Kumar <16600902+Swethakumar1@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Aaron Powell <me@aaron-powell.com>
This commit is contained in:
@@ -238,6 +238,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
|
||||
| [mcp-create-declarative-agent](../skills/mcp-create-declarative-agent/SKILL.md)<br />`gh skills install github/awesome-copilot mcp-create-declarative-agent` | Skill converted from mcp-create-declarative-agent.prompt.md | None |
|
||||
| [mcp-deploy-manage-agents](../skills/mcp-deploy-manage-agents/SKILL.md)<br />`gh skills install github/awesome-copilot mcp-deploy-manage-agents` | Skill converted from mcp-deploy-manage-agents.prompt.md | None |
|
||||
| [mcp-security-audit](../skills/mcp-security-audit/SKILL.md)<br />`gh skills install github/awesome-copilot mcp-security-audit` | Audit MCP (Model Context Protocol) server configurations for security issues. Use this skill when:<br />- Reviewing .mcp.json files for security risks<br />- Checking MCP server args for hardcoded secrets or shell injection patterns<br />- Validating that MCP servers use pinned versions (not @latest)<br />- Detecting unpinned dependencies in MCP server configurations<br />- Auditing which MCP servers a project registers and whether they're on an approved list<br />- Checking for environment variable usage vs. hardcoded credentials in MCP configs<br />- Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json"<br />keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance] | None |
|
||||
| [mcp-security-baseline](../skills/mcp-security-baseline/SKILL.md)<br />`gh skills install github/awesome-copilot mcp-security-baseline` | Review MCP (Model Context Protocol) server and client source code against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when:<br />- Reviewing an MCP server implementation for security before release<br />- Checking a server against the baseline controls (MCP-01 to MCP-05) and the OWASP MCP Top 10<br />- Auditing tools for RCE vectors (command/code injection, unsafe deserialization, path traversal, SSTI, dependency hijacking, SSRF)<br />- Verifying auth, session, rate-limiting, and input-validation controls on a network-exposed server<br />- Reviewing MCP client code that handles untrusted server responses and session IDs<br />- Requests like "review this MCP server for security" or "is my MCP server implementation secure?" | None |
|
||||
| [md-to-docx](../skills/md-to-docx/SKILL.md)<br />`gh skills install github/awesome-copilot md-to-docx` | Convert Markdown files to professionally formatted Word (.docx) documents with embedded PNG images — pure JavaScript, no external tools required | `scripts/md-to-docx.mjs`<br />`scripts/package.json` |
|
||||
| [meeting-minutes](../skills/meeting-minutes/SKILL.md)<br />`gh skills install github/awesome-copilot meeting-minutes` | Generate concise, actionable meeting minutes for internal meetings. Includes metadata, attendees, agenda, decisions, action items (owner + due date), and follow-up steps. | None |
|
||||
| [memory-merger](../skills/memory-merger/SKILL.md)<br />`gh skills install github/awesome-copilot memory-merger` | Merges mature lessons from a domain memory file into its instruction file. Syntax: `/memory-merger >domain [scope]` where scope is `global` (default), `user`, `workspace`, or `ws`. | None |
|
||||
|
||||
Reference in New Issue
Block a user