github/typespec-create-api-plugin
skills/typespec-create-api-plugin/SKILL.md
Generate a TypeSpec API plugin with REST operations, authentication, and Adaptive Cards for Microsoft 365 Copilot
$ install --global
skillsauthnpx skillsauth add github/awesome-copilot typespec-create-api-pluginInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
4 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
4
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 18, 2026, 5:21 PM101.7s1 file scanned
SKILL.md
- name:
- typespec-create-api-plugin
- description:
- Generate a TypeSpec API plugin with REST operations, authentication, and Adaptive Cards for Microsoft 365 Copilot
Create TypeSpec API Plugin
Create a complete TypeSpec API plugin for Microsoft 365 Copilot that integrates with external REST APIs.
Requirements
Generate TypeSpec files with:
main.tsp - Agent Definition
import "@typespec/http";
import "@typespec/openapi3";
import "@microsoft/typespec-m365-copilot";
import "./actions.tsp";
using TypeSpec.Http;
using TypeSpec.M365.Copilot.Agents;
using TypeSpec.M365.Copilot.Actions;
@agent({
name: "[Agent Name]",
description: "[Description]"
})
@instructions("""
[Instructions for using the API operations]
""")
namespace [AgentName] {
// Reference operations from actions.tsp
op operation1 is [APINamespace].operationName;
}
actions.tsp - API Operations
import "@typespec/http";
import "@microsoft/typespec-m365-copilot";
using TypeSpec.Http;
using TypeSpec.M365.Copilot.Actions;
@service
@actions(#{
nameForHuman: "[API Display Name]",
descriptionForModel: "[Model description]",
descriptionForHuman: "[User description]"
})
@server("[API_BASE_URL]", "[API Name]")
@useAuth([AuthType]) // Optional
namespace [APINamespace] {
@route("[/path]")
@get
@action
op operationName(
@path param1: string,
@query param2?: string
): ResponseModel;
model ResponseModel {
// Response structure
}
}
Authentication Options
Choose based on API requirements:
-
No Authentication (Public APIs)
// No @useAuth decorator needed -
API Key
@useAuth(ApiKeyAuth<ApiKeyLocation.header, "X-API-Key">) -
OAuth2
@useAuth(OAuth2Auth<[{ type: OAuth2FlowType.authorizationCode; authorizationUrl: "https://oauth.example.com/authorize"; tokenUrl: "https://oauth.example.com/token"; refreshUrl: "https://oauth.example.com/token"; scopes: ["read", "write"]; }]>) -
Registered Auth Reference
@useAuth(Auth) @authReferenceId("registration-id-here") model Auth is ApiKeyAuth<ApiKeyLocation.header, "X-API-Key">
Function Capabilities
Confirmation Dialog
@capabilities(#{
confirmation: #{
type: "AdaptiveCard",
title: "Confirm Action",
body: """
Are you sure you want to perform this action?
* **Parameter**: {{ function.parameters.paramName }}
"""
}
})
Adaptive Card Response
@card(#{
dataPath: "$.items",
title: "$.title",
url: "$.link",
file: "cards/card.json"
})
Reasoning & Response Instructions
@reasoning("""
Consider user's context when calling this operation.
Prioritize recent items over older ones.
""")
@responding("""
Present results in a clear table format with columns: ID, Title, Status.
Include a summary count at the end.
""")
Best Practices
- Operation Names: Use clear, action-oriented names (listProjects, createTicket)
- Models: Define TypeScript-like models for requests and responses
- HTTP Methods: Use appropriate verbs (@get, @post, @patch, @delete)
- Paths: Use RESTful path conventions with @route
- Parameters: Use @path, @query, @header, @body appropriately
- Descriptions: Provide clear descriptions for model understanding
- Confirmations: Add for destructive operations (delete, update critical data)
- Cards: Use for rich visual responses with multiple data items
Workflow
Ask the user:
- What is the API base URL and purpose?
- What operations are needed (CRUD operations)?
- What authentication method does the API use?
- Should confirmations be required for any operations?
- Do responses need Adaptive Cards?
Then generate:
- Complete
main.tspwith agent definition - Complete
actions.tspwith API operations and models - Optional
cards/card.jsonif Adaptive Cards are needed
Related Skills
github/python-pypi-package-builder
tools
VerifiedTrustedOfficial
End-to-end skill for building, testing, linting, versioning, and publishing a production-grade Python library to PyPI. Covers all four build backends (setuptools+setuptools_scm, hatchling, flit, poetry), PEP 440 versioning, semantic versioning, dynamic git-tag versioning, OOP/SOLID design, type hints (PEP 484/526/544/561), Trusted Publishing (OIDC), and the full PyPA packaging flow. Use for: creating Python packages, pip-installable SDKs, CLI tools, framework plugins, pyproject.toml setup, py.typed, setuptools_scm, semver, mypy, pre-commit, GitHub Actions CI/CD, or PyPI publishing.
29,271SKILL.mdUpdated Apr 11, 2026
github/mcp-security-audit
tools
VerifiedTrustedOfficial
Audit MCP (Model Context Protocol) server configurations for security issues. Use this skill when: - Reviewing .mcp.json files for security risks - Checking MCP server args for hardcoded secrets or shell injection patterns - Validating that MCP servers use pinned versions (not @latest) - Detecting unpinned dependencies in MCP server configurations - Auditing which MCP servers a project registers and whether they're on an approved list - Checking for environment variable usage vs. hardcoded credentials in MCP configs - Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json" keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance]
29,271SKILL.mdUpdated Apr 11, 2026
github/lsp-setup
tools
VerifiedTrustedOfficial
Enable code intelligence (go-to-definition, find-references, hover, type info) for any programming language by installing and configuring an LSP server for Copilot CLI. Detects the OS, installs the right server, and generates the JSON configuration (user-level or repo-level). Use when you need deeper code understanding and no LSP server is configured, or when the user asks to set up, install, or configure an LSP server.
29,271SKILL.mdUpdated Apr 11, 2026
github/gsap-framer-scroll-animation
development
VerifiedTrustedOfficial
Use this skill whenever the user wants to build scroll animations, scroll effects, parallax, scroll-triggered reveals, pinned sections, horizontal scroll, text animations, or any motion tied to scroll position — in vanilla JS, React, or Next.js. Covers GSAP ScrollTrigger (pinning, scrubbing, snapping, timelines, horizontal scroll, ScrollSmoother, matchMedia) and Framer Motion / Motion v12 (useScroll, useTransform, useSpring, whileInView, variants). Use this skill even if the user just says "animate on scroll", "fade in as I scroll", "make it scroll like Apple", "parallax effect", "sticky section", "scroll progress bar", or "entrance animation". Also triggers for Copilot prompt patterns for GSAP or Framer Motion code generation. Pairs with the premium-frontend-ui skill for creative philosophy and design-level polish.
29,271SKILL.mdUpdated Apr 11, 2026