Skip to content

Commit e7ab12c

Browse files
Swethakumar1Copilot
andcommitted
Add mcp-security-baseline skill
An Agent Skill that reviews MCP server and client source code against a security baseline (5 controls, 7 RCE vectors, OWASP MCP Top 10) and produces a compliance report with file/line evidence. Complements mcp-security-audit, which checks .mcp.json configuration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent e986f49 commit e7ab12c

2 files changed

Lines changed: 317 additions & 0 deletions

File tree

docs/README.skills.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -238,6 +238,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
238238
| [mcp-create-declarative-agent](../skills/mcp-create-declarative-agent/SKILL.md)<br />`gh skills install github/awesome-copilot mcp-create-declarative-agent` | Skill converted from mcp-create-declarative-agent.prompt.md | None |
239239
| [mcp-deploy-manage-agents](../skills/mcp-deploy-manage-agents/SKILL.md)<br />`gh skills install github/awesome-copilot mcp-deploy-manage-agents` | Skill converted from mcp-deploy-manage-agents.prompt.md | None |
240240
| [mcp-security-audit](../skills/mcp-security-audit/SKILL.md)<br />`gh skills install github/awesome-copilot mcp-security-audit` | Audit MCP (Model Context Protocol) server configurations for security issues. Use this skill when:<br />- Reviewing .mcp.json files for security risks<br />- Checking MCP server args for hardcoded secrets or shell injection patterns<br />- Validating that MCP servers use pinned versions (not @latest)<br />- Detecting unpinned dependencies in MCP server configurations<br />- Auditing which MCP servers a project registers and whether they're on an approved list<br />- Checking for environment variable usage vs. hardcoded credentials in MCP configs<br />- Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json"<br />keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance] | None |
241+
| [mcp-security-baseline](../skills/mcp-security-baseline/SKILL.md)<br />`gh skills install github/awesome-copilot mcp-security-baseline` | Review MCP (Model Context Protocol) server and client source code against a security baseline — authentication, sessions, rate limiting, input-schema validation, official-SDK usage, RCE vectors, and the OWASP MCP Top 10 — producing a report with file/line evidence. Use this skill when:<br />- Reviewing an MCP server implementation for security before release<br />- Checking a server against the baseline controls (MCP-01 to MCP-05) and the OWASP MCP Top 10<br />- Auditing tools for RCE vectors (command/code injection, unsafe deserialization, path traversal, SSTI, dependency hijacking, SSRF)<br />- Verifying auth, session, rate-limiting, and input-validation controls on a network-exposed server<br />- Reviewing MCP client code that handles untrusted server responses and session IDs<br />- Requests like "review this MCP server for security" or "is my MCP server implementation secure?" | None |
241242
| [md-to-docx](../skills/md-to-docx/SKILL.md)<br />`gh skills install github/awesome-copilot md-to-docx` | Convert Markdown files to professionally formatted Word (.docx) documents with embedded PNG images — pure JavaScript, no external tools required | `scripts/md-to-docx.mjs`<br />`scripts/package.json` |
242243
| [meeting-minutes](../skills/meeting-minutes/SKILL.md)<br />`gh skills install github/awesome-copilot meeting-minutes` | Generate concise, actionable meeting minutes for internal meetings. Includes metadata, attendees, agenda, decisions, action items (owner + due date), and follow-up steps. | None |
243244
| [memory-merger](../skills/memory-merger/SKILL.md)<br />`gh skills install github/awesome-copilot memory-merger` | Merges mature lessons from a domain memory file into its instruction file. Syntax: `/memory-merger >domain [scope]` where scope is `global` (default), `user`, `workspace`, or `ws`. | None |

0 commit comments

Comments
 (0)