fix: address all 9 review comments

imran-siddique · Copilot · imran-siddique · commit d5052e11dd1c · 2026-04-04T11:27:23.000-07:00
1. Added 3 new skills to docs/README.skills.md index 2. Added imports (json, re) to shell injection check snippet 3. Updated unpinned deps wording to match code behavior (@latest only) 4. Moved check_secrets() outside per-server loop to avoid duplicates 5. Added imports note to verify_manifest snippet 6. Updated promotion_check to support both .github/plugin and .claude-plugin layouts 7. Updated CI example to cd into plugin directory before verifying 8. Added check sections for all 10 ASI controls (was missing 03, 04, 06, 08, 10) 9. Made ASI-01 code snippet runnable with actual file scanning implementation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/docs/README.skills.md b/docs/README.skills.md
@@ -28,6 +28,8 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | ---- | ----------- | -------------- |
 | [add-educational-comments](../skills/add-educational-comments/SKILL.md) | Add educational comments to the file specified, or prompt asking for file to comment if one is not provided. | None |
 | [agent-governance](../skills/agent-governance/SKILL.md) | Patterns and techniques for adding governance, safety, and trust controls to AI agent systems. Use this skill when:<br />- Building AI agents that call external tools (APIs, databases, file systems)<br />- Implementing policy-based access controls for agent tool usage<br />- Adding semantic intent classification to detect dangerous prompts<br />- Creating trust scoring systems for multi-agent workflows<br />- Building audit trails for agent actions and decisions<br />- Enforcing rate limits, content filters, or tool restrictions on agents<br />- Working with any agent framework (PydanticAI, CrewAI, OpenAI Agents, LangChain, AutoGen) | None |
+| [agent-owasp-compliance](../skills/agent-owasp-compliance/SKILL.md) | Check AI agent systems against the OWASP Agentic Security Initiative (ASI) Top 10 risks. Evaluates all 10 controls (prompt injection, tool governance, excessive agency, escalation, trust boundaries, logging, identity, policy integrity, supply chain, behavioral anomaly) and generates an X/10 compliance report. | None |
+| [agent-supply-chain](../skills/agent-supply-chain/SKILL.md) | Verify supply chain integrity for AI agent plugins and tools. Generate SHA-256 integrity manifests, verify installed plugins match published manifests, detect tampered files, audit dependency version pinning, and gate plugin promotion from dev to production. | None |
 | [agentic-eval](../skills/agentic-eval/SKILL.md) | Patterns and techniques for evaluating and improving AI agent outputs. Use this skill when:<br />- Implementing self-critique and reflection loops<br />- Building evaluator-optimizer pipelines for quality-critical generation<br />- Creating test-driven code refinement workflows<br />- Designing rubric-based or LLM-as-judge evaluation systems<br />- Adding iterative improvement to agent outputs (code, reports, analysis)<br />- Measuring and improving agent response quality | None |
 | [ai-prompt-engineering-safety-review](../skills/ai-prompt-engineering-safety-review/SKILL.md) | Comprehensive AI prompt engineering safety review and improvement prompt. Analyzes prompts for safety, bias, security vulnerabilities, and effectiveness while providing detailed improvement recommendations with extensive frameworks, testing methodologies, and educational content. | None |
 | [appinsights-instrumentation](../skills/appinsights-instrumentation/SKILL.md) | Instrument a webapp to send useful telemetry data to Azure App Insights | `LICENSE.txt`<br />`examples`<br />`references/ASPNETCORE.md`<br />`references/AUTO.md`<br />`references/NODEJS.md`<br />`references/PYTHON.md`<br />`scripts/appinsights.ps1` |
@@ -183,6 +185,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [markdown-to-html](../skills/markdown-to-html/SKILL.md) | Convert Markdown files to HTML similar to `marked.js`, `pandoc`, `gomarkdown/markdown`, or similar tools; or writing custom script to convert markdown to html and/or working on web template systems like `jekyll/jekyll`, `gohugoio/hugo`, or similar web templating systems that utilize markdown documents, converting them to html. Use when asked to "convert markdown to html", "transform md to html", "render markdown", "generate html from markdown", or when working with .md files and/or web a templating system that converts markdown to HTML output. Supports CLI and Node.js workflows with GFM, CommonMark, and standard Markdown flavors. | `references/basic-markdown-to-html.md`<br />`references/basic-markdown.md`<br />`references/code-blocks-to-html.md`<br />`references/code-blocks.md`<br />`references/collapsed-sections-to-html.md`<br />`references/collapsed-sections.md`<br />`references/gomarkdown.md`<br />`references/hugo.md`<br />`references/jekyll.md`<br />`references/marked.md`<br />`references/pandoc.md`<br />`references/tables-to-html.md`<br />`references/tables.md`<br />`references/writing-mathematical-expressions-to-html.md`<br />`references/writing-mathematical-expressions.md` |
 | [mcp-cli](../skills/mcp-cli/SKILL.md) | Interface for MCP (Model Context Protocol) servers via CLI. Use when you need to interact with external tools, APIs, or data sources through MCP servers, list available MCP servers/tools, or call MCP tools from command line. | None |
 | [mcp-copilot-studio-server-generator](../skills/mcp-copilot-studio-server-generator/SKILL.md) | Generate a complete MCP server implementation optimized for Copilot Studio integration with proper schema constraints and streamable HTTP support | None |
+| [mcp-security-audit](../skills/mcp-security-audit/SKILL.md) | Audit MCP server configurations in .mcp.json files for security issues including secrets exposure, shell injection patterns, unpinned dependencies, and dangerous command patterns. | None |
 | [mcp-create-adaptive-cards](../skills/mcp-create-adaptive-cards/SKILL.md) | Skill converted from mcp-create-adaptive-cards.prompt.md | None |
 | [mcp-create-declarative-agent](../skills/mcp-create-declarative-agent/SKILL.md) | Skill converted from mcp-create-declarative-agent.prompt.md | None |
 | [mcp-deploy-manage-agents](../skills/mcp-deploy-manage-agents/SKILL.md) | Skill converted from mcp-deploy-manage-agents.prompt.md | None |
diff --git a/skills/agent-owasp-compliance/SKILL.md b/skills/agent-owasp-compliance/SKILL.md
@@ -56,22 +56,38 @@ Codebase → Scan for each ASI control:
 Look for input validation that runs **before** tool execution, not after LLM generation.
 
 ```python
+import re
+from pathlib import Path
+
 def check_asi_01(project_path: str) -> dict:
     """ASI-01: Is user input validated before reaching tool execution?"""
-    signals = {
-        "positive": [
-            "input_validation", "validate_input", "sanitize",
-            "classify_intent", "prompt_injection", "threat_detect",
-            "PolicyEvaluator", "PolicyEngine", "check_content",
-        ],
-        "negative": [
-            "eval(", "exec(", "subprocess.run(.*shell=True",
-            "os.system(", "input()",  # raw input passed to tools
-        ]
-    }
-    # Search codebase for these patterns
-    # Positive signals = controls exist
-    # Negative signals = potential vulnerabilities
+    positive_patterns = [
+        "input_validation", "validate_input", "sanitize",
+        "classify_intent", "prompt_injection", "threat_detect",
+        "PolicyEvaluator", "PolicyEngine", "check_content",
+    ]
+    negative_patterns = [
+        r"eval\(", r"exec\(", r"subprocess\.run\(.*shell=True",
+        r"os\.system\(",
+    ]
+
+    # Scan Python files for signals
+    root = Path(project_path)
+    positive_matches = []
+    negative_matches = []
+
+    for py_file in root.rglob("*.py"):
+        content = py_file.read_text(errors="ignore")
+        for pattern in positive_patterns:
+            if pattern in content:
+                positive_matches.append(f"{py_file.name}: {pattern}")
+        for pattern in negative_patterns:
+            if re.search(pattern, content):
+                negative_matches.append(f"{py_file.name}: {pattern}")
+
+    positive_found = len(positive_matches) > 0
+    negative_found = len(negative_matches) > 0
+
     return {
         "risk": "ASI-01",
         "name": "Prompt Injection",
@@ -122,6 +138,34 @@ def execute_tool(name: str, args: dict):
 
 ---
 
+## Check ASI-03: Excessive Agency
+
+Verify agent capabilities are bounded — not open-ended.
+
+**What to search for:**
+- Explicit capability lists or execution rings
+- Scope limits on what the agent can access
+- Principle of least privilege applied to tool access
+
+**Failing:** Agent has access to all tools by default.
+**Passing:** Agent capabilities defined as a fixed allowlist, unknown tools denied.
+
+---
+
+## Check ASI-04: Unauthorized Escalation
+
+Verify agents cannot promote their own privileges.
+
+**What to search for:**
+- Privilege level checks before sensitive operations
+- No self-promotion patterns (agent changing its own trust score or role)
+- Escalation requires external attestation (human or SRE witness)
+
+**Failing:** Agent can modify its own configuration or permissions.
+**Passing:** Privilege changes require out-of-band approval (e.g., Ring 0 requires SRE attestation).
+
+---
+
 ## Check ASI-05: Trust Boundary Violation
 
 In multi-agent systems, verify that agents verify each other's identity before accepting instructions.
@@ -145,6 +189,21 @@ def accept_task(sender_id: str, task: dict):
 
 ---
 
+## Check ASI-06: Insufficient Logging
+
+Verify all agent actions produce structured, tamper-evident audit entries.
+
+**What to search for:**
+- Structured logging for every tool call (not just print statements)
+- Audit entries include: timestamp, agent ID, tool name, args, result, policy decision
+- Append-only or hash-chained log format
+- Logs stored separately from agent-writable directories
+
+**Failing:** Agent actions logged via `print()` or not logged at all.
+**Passing:** Structured JSONL audit trail with chain hashes, exported to secure storage.
+
+---
+
 ## Check ASI-07: Insecure Identity
 
 Verify agents have cryptographic identity, not just string names.
@@ -162,6 +221,21 @@ Verify agents have cryptographic identity, not just string names.
 
 ---
 
+## Check ASI-08: Policy Bypass
+
+Verify policy enforcement is deterministic — not LLM-based.
+
+**What to search for:**
+- Policy evaluation uses deterministic logic (YAML rules, code predicates)
+- No LLM calls in the enforcement path
+- Policy checks cannot be skipped or overridden by the agent
+- Fail-closed behavior (if policy check errors, action is denied)
+
+**Failing:** Agent decides its own permissions via prompt ("Am I allowed to...?").
+**Passing:** PolicyEvaluator.evaluate() returns allow/deny in <0.1ms, no LLM involved.
+
+---
+
 ## Check ASI-09: Supply Chain Integrity
 
 Verify agent plugins and tools have integrity verification.
@@ -174,6 +248,21 @@ Verify agent plugins and tools have integrity verification.
 
 ---
 
+## Check ASI-10: Behavioral Anomaly
+
+Verify the system can detect and respond to agent behavioral drift.
+
+**What to search for:**
+- Circuit breakers that trip on repeated failures
+- Trust score decay over time (temporal decay)
+- Kill switch or emergency stop capability
+- Anomaly detection on tool call patterns (frequency, targets, timing)
+
+**Failing:** No mechanism to stop a misbehaving agent automatically.
+**Passing:** Circuit breaker trips after N failures, trust decays without activity, kill switch available.
+
+---
+
 ## Compliance Report Format
 
 ```markdown
diff --git a/skills/agent-supply-chain/SKILL.md b/skills/agent-supply-chain/SKILL.md
@@ -120,6 +120,10 @@ print(f"Generated manifest: {manifest['file_count']} files, "
 Check that current files match the manifest.
 
 ```python
+# Requires: hash_file() and generate_manifest() from Pattern 1 above
+import json
+from pathlib import Path
+
 def verify_manifest(plugin_dir: str) -> tuple[bool, list[str]]:
     """Verify plugin files against INTEGRITY.json."""
     root = Path(plugin_dir)
@@ -229,8 +233,17 @@ def promotion_check(plugin_dir: str) -> dict:
 
     # 2. Required files exist
     root = Path(plugin_dir)
-    required = ["README.md", ".claude-plugin/plugin.json"]
+    required = ["README.md"]
     missing = [f for f in required if not (root / f).exists()]
+
+    # Require at least one plugin manifest (supports both layouts)
+    manifest_paths = [
+        root / ".github/plugin/plugin.json",
+        root / ".claude-plugin/plugin.json",
+    ]
+    if not any(p.exists() for p in manifest_paths):
+        missing.append(".github/plugin/plugin.json (or .claude-plugin/plugin.json)")
+
     checks["required_files"] = {
         "passed": len(missing) == 0,
         "missing": missing
@@ -274,6 +287,8 @@ Add to your GitHub Actions workflow:
 ```yaml
 - name: Verify plugin integrity
   run: |
+    PLUGIN_DIR="${{ matrix.plugin || '.' }}"
+    cd "$PLUGIN_DIR"
     python -c "
     from pathlib import Path
     import json, hashlib, sys
diff --git a/skills/mcp-security-audit/SKILL.md b/skills/mcp-security-audit/SKILL.md
@@ -9,6 +9,7 @@ description: |
   - Auditing which MCP servers a project registers and whether they're on an approved list
   - Checking for environment variable usage vs. hardcoded credentials in MCP configs
   - Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json"
+  keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance]
 ---
 
 # MCP Security Audit
@@ -112,6 +113,9 @@ def check_secrets(mcp_config: dict) -> list[dict]:
 Detect dangerous command patterns in MCP server args.
 
 ```python
+import json
+import re
+
 DANGEROUS_PATTERNS = [
     (r'\$\(', "Command substitution $(...)"),
     (r'`[^`]+`', "Backtick command substitution"),
@@ -145,11 +149,11 @@ def check_shell_injection(server_config: dict) -> list[dict]:
 
 ## Audit Check 3: Unpinned Dependencies
 
-Flag MCP servers using `@latest` or unversioned packages.
+Flag MCP servers using `@latest` in their package references.
 
 ```python
 def check_pinned_versions(server_config: dict) -> list[dict]:
-    """Check that MCP server dependencies use pinned versions."""
+    """Check that MCP server dependencies use pinned versions, not @latest."""
     findings = []
     args = server_config.get("args", [])
     for arg in args:
@@ -204,11 +208,14 @@ def audit_mcp_config(mcp_path: str) -> dict:
     results = {"file": str(path), "servers": {}, "summary": {}}
     total_findings = []
 
+    # Run secrets check once on the whole config (not per-server)
+    config_level_findings = check_secrets(config)
+    total_findings.extend(config_level_findings)
+
     for name, server_config in servers.items():
         if not isinstance(server_config, dict):
             continue
         findings = []
-        findings.extend(check_secrets(config))
         findings.extend(check_shell_injection(server_config))
         findings.extend(check_pinned_versions(server_config))
         results["servers"][name] = {
