Add mcp-security-baseline skill#2212
Conversation
🔒 PR Risk Scan ResultsScanned 2 changed file(s).
|
🔍 Vally Lint Results✅ All checks passed
Summary
Full linter output |
There was a problem hiding this comment.
Pull request overview
Adds a new Agent Skill (mcp-security-baseline) to help reviewers assess MCP server/client source code against a defined security baseline and produce an evidence-backed compliance report, and updates the generated skills index to include it.
Changes:
- Added
mcp-security-baselineskill with a structured 6-step review process, baseline controls (MCP-01..05), RCE vector checks, and OWASP MCP Top 10 mapping. - Updated
docs/README.skills.mdto include the new skill entry.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| skills/mcp-security-baseline/SKILL.md | New skill definition and detailed review checklist/reporting format for MCP implementation security reviews. |
| docs/README.skills.md | Adds the new skill to the skills documentation index. |
An Agent Skill that reviews MCP server and client source code against a security baseline (5 controls, 7 RCE vectors, OWASP MCP Top 10) and produces a compliance report with file/line evidence. Complements mcp-security-audit, which checks .mcp.json configuration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
948e63d to
e7ab12c
Compare
aaronpowell
left a comment
There was a problem hiding this comment.
Very minor nitpicks on the skill
- Remove the top-level `keywords` field: it is not a recognized skill front-matter field and is ignored (skills are indexed for search by name + description only). The keyword terms are already present in the description, so discovery is unaffected. - Link the MCP 2025-03-26 specification at the protocol-version check so the agent has it for quick reference. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…rent MCP spec - Change the unsafe-deserialization example from `yaml.load(..., Loader=yaml.FullLoader)` to `Loader=yaml.UnsafeLoader` to reflect genuinely unsafe usage. - Add a link to the current MCP spec revision (2025-11-25) alongside the 2025-03-26 baseline on the protocol-version check. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
| | Pattern | Transport | | ||
| |---|---| | ||
| | `transport="http"` or `transport="sse"` | HTTP/SSE | | ||
| | `StreamableHttpServerTransport` | HTTP (TS/JS) | | ||
| | `SSEServerTransport` | SSE (TS/JS) | | ||
| | `WithHttpTransport()` | HTTP (C#) | | ||
| | `host="0.0.0.0"` | All-interfaces binding | | ||
| | Express `.listen(port)` with MCP routes | HTTP (default `0.0.0.0`) | | ||
| | `EXPOSE` in Dockerfile + MCP server | Network-exposed | |
| ### Step 3 — Check baseline controls | ||
| - For **network-exposed servers**, check **MCP-01** through **MCP-05**. | ||
| - For **local/STDIO servers**, do not mark baseline controls PASS/FAIL; give best-practice notes and continue to RCE review. | ||
| - For **clients**, only review token/session handling explicitly visible in client code; do not apply the server baseline unless the user asks for client-side risk review. | ||
|
|
||
| **Completion criterion:** Each applicable control has a supported status. |
| ### Step 3 — Check baseline controls | ||
| - For **network-exposed servers**, check **MCP-01** through **MCP-05**. | ||
| - For **local/STDIO servers**, do not mark baseline controls PASS/FAIL; give best-practice notes and continue to RCE review. | ||
| - For **clients**, only review token/session handling explicitly visible in client code; do not apply the server baseline unless the user asks for client-side risk review. | ||
|
|
||
| **Completion criterion:** Each applicable control has a supported status. |
| ## Process | ||
|
|
||
| ### Step 1 — Classify the target | ||
| - Check **MCP protocol version [2025-03-26](https://modelcontextprotocol.io/specification/2025-03-26) or later** (current: [2025-11-25](https://modelcontextprotocol.io/specification/2025-11-25)). Flag older versions as a finding but continue the review. |
🔍 Potential Duplicate Resources DetectedThis PR adds a resource that may be similar to an existing one in the repository. Please review this potential overlap before merging to avoid redundancy.
Possible DuplicatesGroup 1: MCP security review skills
Why flagged: Both skills share the Suggestion: The two skills cover genuinely different layers — configuration auditing vs. source code review — and the PR description explicitly acknowledges this distinction. Consider whether the skill's description and use-case examples make the difference from
|
Add skill:
mcp-security-baselineAn Agent Skill that reviews MCP server and client source code against a security
baseline and produces a compliance report with file/line evidence.
Checks: 5 baseline controls (authentication & identity isolation, sessions, rate
limiting, input-schema validation, official-SDK usage), 7 RCE vectors (command injection,
dynamic code eval, unsafe deserialization, path traversal, SSTI, dependency hijacking,
SSRF), and the OWASP MCP Top 10. Six-step process; uses
NEEDS INVESTIGATIONwhen sourcealone can't decide.
Distinct from the existing
mcp-security-auditskill, which audits.mcp.jsonconfiguration — this reviews server/client source code.Validation:
npm run skill:validate✅ andnpm run build✅ (adds one row todocs/README.skills.md). Single self-containedSKILL.md(matches existing skills likeagent-owasp-compliance). Blind-tested against intentionally vulnerable MCP repos acrossmultiple models (100% recall on planted vulnerabilities, zero false negatives).