feat: add 3 agent security skills (MCP audit, OWASP compliance, supply chain) (#1248)

* feat: add 3 agent security skills (MCP audit, OWASP compliance, supply chain)

- mcp-security-audit: Audit .mcp.json files for hardcoded secrets,
  shell injection, unpinned versions, dangerous command patterns
- agent-owasp-compliance: Check agent systems against OWASP ASI 2026
  Top 10 risks with compliance report generation
- agent-supply-chain: SHA-256 integrity manifests, tamper detection,
  version pinning audit, promotion gates for agent plugins

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address all 9 review comments

1. Added 3 new skills to docs/README.skills.md index
2. Added imports (json, re) to shell injection check snippet
3. Updated unpinned deps wording to match code behavior (@latest only)
4. Moved check_secrets() outside per-server loop to avoid duplicates
5. Added imports note to verify_manifest snippet
6. Updated promotion_check to support both .github/plugin and .claude-plugin layouts
7. Updated CI example to cd into plugin directory before verifying
8. Added check sections for all 10 ASI controls (was missing 03, 04, 06, 08, 10)
9. Made ASI-01 code snippet runnable with actual file scanning implementation

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: regenerate docs/README.skills.md via npm start

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

docs/README.skills.md

@@ -28,6 +28,8 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | ---- | ----------- | -------------- |
 | [add-educational-comments](../skills/add-educational-comments/SKILL.md) | Add educational comments to the file specified, or prompt asking for file to comment if one is not provided. | None |
 | [agent-governance](../skills/agent-governance/SKILL.md) | Patterns and techniques for adding governance, safety, and trust controls to AI agent systems. Use this skill when:<br />- Building AI agents that call external tools (APIs, databases, file systems)<br />- Implementing policy-based access controls for agent tool usage<br />- Adding semantic intent classification to detect dangerous prompts<br />- Creating trust scoring systems for multi-agent workflows<br />- Building audit trails for agent actions and decisions<br />- Enforcing rate limits, content filters, or tool restrictions on agents<br />- Working with any agent framework (PydanticAI, CrewAI, OpenAI Agents, LangChain, AutoGen) | None |
+| [agent-owasp-compliance](../skills/agent-owasp-compliance/SKILL.md) | Check any AI agent codebase against the OWASP Agentic Security Initiative (ASI) Top 10 risks.<br />Use this skill when:<br />- Evaluating an agent system's security posture before production deployment<br />- Running a compliance check against OWASP ASI 2026 standards<br />- Mapping existing security controls to the 10 agentic risks<br />- Generating a compliance report for security review or audit<br />- Comparing agent framework security features against the standard<br />- Any request like "is my agent OWASP compliant?", "check ASI compliance", or "agentic security audit" | None |
+| [agent-supply-chain](../skills/agent-supply-chain/SKILL.md) | Verify supply chain integrity for AI agent plugins, tools, and dependencies. Use this skill when:<br />- Generating SHA-256 integrity manifests for agent plugins or tool packages<br />- Verifying that installed plugins match their published manifests<br />- Detecting tampered, modified, or untracked files in agent tool directories<br />- Auditing dependency pinning and version policies for agent components<br />- Building provenance chains for agent plugin promotion (dev → staging → production)<br />- Any request like "verify plugin integrity", "generate manifest", "check supply chain", or "sign this plugin" | None |
 | [agentic-eval](../skills/agentic-eval/SKILL.md) | Patterns and techniques for evaluating and improving AI agent outputs. Use this skill when:<br />- Implementing self-critique and reflection loops<br />- Building evaluator-optimizer pipelines for quality-critical generation<br />- Creating test-driven code refinement workflows<br />- Designing rubric-based or LLM-as-judge evaluation systems<br />- Adding iterative improvement to agent outputs (code, reports, analysis)<br />- Measuring and improving agent response quality | None |
 | [ai-prompt-engineering-safety-review](../skills/ai-prompt-engineering-safety-review/SKILL.md) | Comprehensive AI prompt engineering safety review and improvement prompt. Analyzes prompts for safety, bias, security vulnerabilities, and effectiveness while providing detailed improvement recommendations with extensive frameworks, testing methodologies, and educational content. | None |
 | [appinsights-instrumentation](../skills/appinsights-instrumentation/SKILL.md) | Instrument a webapp to send useful telemetry data to Azure App Insights | `LICENSE.txt`<br />`examples`<br />`references/ASPNETCORE.md`<br />`references/AUTO.md`<br />`references/NODEJS.md`<br />`references/PYTHON.md`<br />`scripts/appinsights.ps1` |
@@ -189,6 +191,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [mcp-create-adaptive-cards](../skills/mcp-create-adaptive-cards/SKILL.md) | Skill converted from mcp-create-adaptive-cards.prompt.md | None |
 | [mcp-create-declarative-agent](../skills/mcp-create-declarative-agent/SKILL.md) | Skill converted from mcp-create-declarative-agent.prompt.md | None |
 | [mcp-deploy-manage-agents](../skills/mcp-deploy-manage-agents/SKILL.md) | Skill converted from mcp-deploy-manage-agents.prompt.md | None |
+| [mcp-security-audit](../skills/mcp-security-audit/SKILL.md) | Audit MCP (Model Context Protocol) server configurations for security issues. Use this skill when:<br />- Reviewing .mcp.json files for security risks<br />- Checking MCP server args for hardcoded secrets or shell injection patterns<br />- Validating that MCP servers use pinned versions (not @latest)<br />- Detecting unpinned dependencies in MCP server configurations<br />- Auditing which MCP servers a project registers and whether they're on an approved list<br />- Checking for environment variable usage vs. hardcoded credentials in MCP configs<br />- Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json"<br />keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance] | None |
 | [meeting-minutes](../skills/meeting-minutes/SKILL.md) | Generate concise, actionable meeting minutes for internal meetings. Includes metadata, attendees, agenda, decisions, action items (owner + due date), and follow-up steps. | None |
 | [memory-merger](../skills/memory-merger/SKILL.md) | Merges mature lessons from a domain memory file into its instruction file. Syntax: `/memory-merger >domain [scope]` where scope is `global` (default), `user`, `workspace`, or `ws`. | None |
 | [mentoring-juniors](../skills/mentoring-juniors/SKILL.md) | Socratic mentoring for junior developers and AI newcomers. Guides through questions, never answers. Triggers: "help me understand", "explain this code", "I'm stuck", "Im stuck", "I'm confused", "Im confused", "I don't understand", "I dont understand", "can you teach me", "teach me", "mentor me", "guide me", "what does this error mean", "why doesn't this work", "why does not this work", "I'm a beginner", "Im a beginner", "I'm learning", "Im learning", "I'm new to this", "Im new to this", "walk me through", "how does this work", "what's wrong with my code", "what's wrong", "can you break this down", "ELI5", "step by step", "where do I start", "what am I missing", "newbie here", "junior dev", "first time using", "how do I", "what is", "is this right", "not sure", "need help", "struggling", "show me", "help me debug", "best practice", "too complex", "overwhelmed", "lost", "debug this", "/socratic", "/hint", "/concept", "/pseudocode". Progressive clue systems, teaching techniques, and success metrics. | None |