Skip to content

Add mcp-security-baseline skill#2212

Open
Swethakumar1 wants to merge 1 commit into
github:mainfrom
Swethakumar1:add-mcp-security-baseline-skill
Open

Add mcp-security-baseline skill#2212
Swethakumar1 wants to merge 1 commit into
github:mainfrom
Swethakumar1:add-mcp-security-baseline-skill

Conversation

@Swethakumar1

@Swethakumar1 Swethakumar1 commented Jul 4, 2026

Copy link
Copy Markdown

Add skill: mcp-security-baseline

An Agent Skill that reviews MCP server and client source code against a security
baseline and produces a compliance report with file/line evidence.

Checks: 5 baseline controls (authentication & identity isolation, sessions, rate
limiting, input-schema validation, official-SDK usage), 7 RCE vectors (command injection,
dynamic code eval, unsafe deserialization, path traversal, SSTI, dependency hijacking,
SSRF), and the OWASP MCP Top 10. Six-step process; uses NEEDS INVESTIGATION when source
alone can't decide.

Distinct from the existing mcp-security-audit skill, which audits .mcp.json configuration — this reviews server/client source code.

Validation: npm run skill:validate ✅ and npm run build ✅ (adds one row to
docs/README.skills.md). Single self-contained SKILL.md (matches existing skills like
agent-owasp-compliance). Blind-tested against intentionally vulnerable MCP repos across
multiple models (100% recall on planted vulnerabilities, zero false negatives).

Copilot AI review requested due to automatic review settings July 4, 2026 00:04
@Swethakumar1 Swethakumar1 requested a review from aaronpowell as a code owner July 4, 2026 00:04
@github-actions github-actions Bot added new-submission PR adds at least one new contribution skills PR touches skills labels Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🔒 PR Risk Scan Results

Scanned 2 changed file(s).

Severity Count
🔴 High 0
🟠 Medium 2
ℹ️ Info 0
Severity Rule File Line Match
🟠 package-exec-command docs/README.skills.md 31 | [acreadiness-assess](../skills/acreadiness-assess/SKILL.md)<br />`gh skills install github/awesome-copilot acreadiness-assess` | Run the AgentRC readiness assessment on the curre
🟠 unpinned-version-indicator skills/mcp-security-baseline/SKILL.md 222 | Dependency hijacking | Unpinned deps such as `"lodash": "^4.0.0"`; internal package names resolvable from public registries | Pin exact versions, keep lock files with integrity h

This is an automated soft-gate report. Findings indicate review targets and do not block merge by themselves.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🔍 Vally Lint Results

✅ All checks passed

Scope Checked
Skills 1
Agents 0
Total 1
Severity Count
❌ Errors 0
⚠️ Warnings 0
ℹ️ Advisories 0

Summary

Level Finding
ℹ️ npm warn EBADENGINE Unsupported engine {
ℹ️ npm warn EBADENGINE package: 'commander@15.0.0',
ℹ️ npm warn EBADENGINE required: { node: '>=22.12.0' },
ℹ️ npm warn EBADENGINE current: { node: 'v20.20.2', npm: '10.8.2' }
ℹ️ npm warn EBADENGINE }
ℹ️ npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
ℹ️ ✅ mcp-security-baseline (2/2 checks passed)
ℹ️ ✓ [spec-compliance] All 1 skill(s) are spec-compliant.
ℹ️ ✓ spec-compliance: All spec checks passed.
ℹ️ ✓ [valid-refs] All file references across 1 skill(s) are valid.
Full linter output
### Linting skills/mcp-security-baseline
npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: 'commander@15.0.0',
npm warn EBADENGINE   required: { node: '>=22.12.0' },
npm warn EBADENGINE   current: { node: 'v20.20.2', npm: '10.8.2' }
npm warn EBADENGINE }
npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
✅ mcp-security-baseline (2/2 checks passed)
    ✓ [spec-compliance] All 1 skill(s) are spec-compliant.
        ✓ spec-compliance: All spec checks passed.
    ✓ [valid-refs] All file references across 1 skill(s) are valid.
        ✓ valid-refs: All file references resolve to existing files within the skill directory.

1 skill(s) linted, 1 passed

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Agent Skill (mcp-security-baseline) to help reviewers assess MCP server/client source code against a defined security baseline and produce an evidence-backed compliance report, and updates the generated skills index to include it.

Changes:

  • Added mcp-security-baseline skill with a structured 6-step review process, baseline controls (MCP-01..05), RCE vector checks, and OWASP MCP Top 10 mapping.
  • Updated docs/README.skills.md to include the new skill entry.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
skills/mcp-security-baseline/SKILL.md New skill definition and detailed review checklist/reporting format for MCP implementation security reviews.
docs/README.skills.md Adds the new skill to the skills documentation index.

An Agent Skill that reviews MCP server and client source code against a security
baseline (5 controls, 7 RCE vectors, OWASP MCP Top 10) and produces a compliance
report with file/line evidence. Complements mcp-security-audit, which checks
.mcp.json configuration.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Swethakumar1 Swethakumar1 force-pushed the add-mcp-security-baseline-skill branch from 948e63d to e7ab12c Compare July 4, 2026 00:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

new-submission PR adds at least one new contribution skills PR touches skills

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants