diff --git a/docs/README.skills.md b/docs/README.skills.md index 7ec23e88..2d8d0412 100644 --- a/docs/README.skills.md +++ b/docs/README.skills.md @@ -238,8 +238,8 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to | [mcp-create-adaptive-cards](../skills/mcp-create-adaptive-cards/SKILL.md)
`gh skills install github/awesome-copilot mcp-create-adaptive-cards` | Skill converted from mcp-create-adaptive-cards.prompt.md | None | | [mcp-create-declarative-agent](../skills/mcp-create-declarative-agent/SKILL.md)
`gh skills install github/awesome-copilot mcp-create-declarative-agent` | Skill converted from mcp-create-declarative-agent.prompt.md | None | | [mcp-deploy-manage-agents](../skills/mcp-deploy-manage-agents/SKILL.md)
`gh skills install github/awesome-copilot mcp-deploy-manage-agents` | Skill converted from mcp-deploy-manage-agents.prompt.md | None | +| [mcp-implementation-security-review](../skills/mcp-implementation-security-review/SKILL.md)
`gh skills install github/awesome-copilot mcp-implementation-security-review` | Review the implementation source code of MCP (Model Context Protocol) servers, clients, and tool handlers against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when:
- Reviewing an MCP server implementation for security before release
- Checking a server against the baseline controls (MCP-01 to MCP-05) and the OWASP MCP Top 10
- Auditing tools for RCE vectors (command/code injection, unsafe deserialization, path traversal, SSTI, dependency hijacking, SSRF)
- Verifying auth, session, rate-limiting, and input-validation controls on a network-exposed server
- Reviewing MCP client code that handles untrusted server responses and session IDs
- Requests like "review this MCP server for security" or "is my MCP server implementation secure?" | None | | [mcp-security-audit](../skills/mcp-security-audit/SKILL.md)
`gh skills install github/awesome-copilot mcp-security-audit` | Audit MCP (Model Context Protocol) server configurations for security issues. Use this skill when:
- Reviewing .mcp.json files for security risks
- Checking MCP server args for hardcoded secrets or shell injection patterns
- Validating that MCP servers use pinned versions (not @latest)
- Detecting unpinned dependencies in MCP server configurations
- Auditing which MCP servers a project registers and whether they're on an approved list
- Checking for environment variable usage vs. hardcoded credentials in MCP configs
- Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json"
keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance] | None | -| [mcp-security-baseline](../skills/mcp-security-baseline/SKILL.md)
`gh skills install github/awesome-copilot mcp-security-baseline` | Review MCP (Model Context Protocol) server and client source code against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when:
- Reviewing an MCP server implementation for security before release
- Checking a server against the baseline controls (MCP-01 to MCP-05) and the OWASP MCP Top 10
- Auditing tools for RCE vectors (command/code injection, unsafe deserialization, path traversal, SSTI, dependency hijacking, SSRF)
- Verifying auth, session, rate-limiting, and input-validation controls on a network-exposed server
- Reviewing MCP client code that handles untrusted server responses and session IDs
- Requests like "review this MCP server for security" or "is my MCP server implementation secure?" | None | | [md-to-docx](../skills/md-to-docx/SKILL.md)
`gh skills install github/awesome-copilot md-to-docx` | Convert Markdown files to professionally formatted Word (.docx) documents with embedded PNG images — pure JavaScript, no external tools required | `scripts/md-to-docx.mjs`
`scripts/package.json` | | [meeting-minutes](../skills/meeting-minutes/SKILL.md)
`gh skills install github/awesome-copilot meeting-minutes` | Generate concise, actionable meeting minutes for internal meetings. Includes metadata, attendees, agenda, decisions, action items (owner + due date), and follow-up steps. | None | | [memory-merger](../skills/memory-merger/SKILL.md)
`gh skills install github/awesome-copilot memory-merger` | Merges mature lessons from a domain memory file into its instruction file. Syntax: `/memory-merger >domain [scope]` where scope is `global` (default), `user`, `workspace`, or `ws`. | None | diff --git a/skills/mcp-security-baseline/SKILL.md b/skills/mcp-implementation-security-review/SKILL.md similarity index 98% rename from skills/mcp-security-baseline/SKILL.md rename to skills/mcp-implementation-security-review/SKILL.md index 1c355748..5bf9d01b 100644 --- a/skills/mcp-security-baseline/SKILL.md +++ b/skills/mcp-implementation-security-review/SKILL.md @@ -1,7 +1,7 @@ --- -name: mcp-security-baseline +name: mcp-implementation-security-review description: | - Review MCP (Model Context Protocol) server and client source code against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when: + Review the implementation source code of MCP (Model Context Protocol) servers, clients, and tool handlers against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when: - Reviewing an MCP server implementation for security before release - Checking a server against the baseline controls (MCP-01 to MCP-05) and the OWASP MCP Top 10 - Auditing tools for RCE vectors (command/code injection, unsafe deserialization, path traversal, SSTI, dependency hijacking, SSRF) @@ -10,7 +10,7 @@ description: | - Requests like "review this MCP server for security" or "is my MCP server implementation secure?" --- -# MCP Security Baseline Review +# MCP Implementation Security Review ## Process