* Add mcp-security-baseline skill
An Agent Skill that reviews MCP server and client source code against a security
baseline (5 controls, 7 RCE vectors, OWASP MCP Top 10) and produces a compliance
report with file/line evidence. Complements mcp-security-audit, which checks
.mcp.json configuration.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review feedback: remove ignored keywords field, link MCP spec
- Remove the top-level `keywords` field: it is not a recognized skill
front-matter field and is ignored (skills are indexed for search by
name + description only). The keyword terms are already present in the
description, so discovery is unaffected.
- Link the MCP 2025-03-26 specification at the protocol-version check so
the agent has it for quick reference.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review feedback: fix unsafe-deserialization example, link current MCP spec
- Change the unsafe-deserialization example from `yaml.load(..., Loader=yaml.FullLoader)`
to `Loader=yaml.UnsafeLoader` to reflect genuinely unsafe usage.
- Add a link to the current MCP spec revision (2025-11-25) alongside the 2025-03-26
baseline on the protocol-version check.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Swetha Kumar <16600902+Swethakumar1@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>