microsoft/owasp-mcp
.github/skills/security/owasp-mcp/SKILL.md
OWASP MCP Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in Model Context Protocol environments - Brought to you by microsoft/hve-core.
$ install --global
skillsauthnpx skillsauth add microsoft/hve-core owasp-mcpInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 9, 2026, 2:10 AM82.6s12 files scanned
SKILL.md
- name:
- owasp-mcp
- description:
- OWASP MCP Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in Model Context Protocol environments - Brought to you by microsoft/hve-core.
- license:
- CC-BY-SA-4.0
- user-invocable:
- false
- authors:
- OWASP MCP Top 10 Project
- spec_version:
- 1.0
- framework_revision:
- 1.0.0
- last_updated:
- 2026-02-13
- skill_based_on:
- https://github.com/chris-buckley/agnostic-prompt-standard
- content_based_on:
- https://owasp.org/www-project-mcp-top-10/
OWASP MCP Top 10 — Skill Entry
This SKILL.md is the entrypoint for the MCP Vulnerabilities skill.
The skill encodes the OWASP MCP Top 10 (2025) as structured, machine-readable references that an agent can query to identify, assess, and remediate MCP security risks.
Normative references (MCP Top 10)
- 00 Vulnerability Index
- 01 Token Mismanagement and Secret Exposure
- 02 Privilege Escalation via Scope Creep
- 03 Tool Poisoning
- 04 Software Supply Chain Attacks and Dependency Tampering
- 05 Command Injection and Execution
- 06 Prompt Injection via Contextual Payloads
- 07 Insufficient Authentication and Authorization
- 08 Lack of Audit and Telemetry
- 09 Shadow MCP Servers
- 10 Context Injection and Over-Sharing
Skill layout
SKILL.md— this file (skill entrypoint).references/— the MCP Top 10 normative documents.00-vulnerability-index.md— index of all vulnerability identifiers, severities, and cross-references.01through10— one document per vulnerability aligned with OWASP MCP numbering.
🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.
Related Skills
microsoft/pr-reference
tools
VerifiedTrustedCommunity
Generates PR reference XML containing commit history and unified diffs between branches with extension and path filtering. Includes utilities to list changed files by type and read diff chunks. Use when creating pull request descriptions, preparing code reviews, analyzing branch changes, discovering work items from diffs, or generating structured diff summaries. - Brought to you by microsoft/hve-core
909SKILL.mdUpdated Apr 9, 2026
microsoft/security-reviewer-formats
development
VerifiedTrustedCommunity
Format specifications and data contracts for the security reviewer orchestrator and its subagents - Brought to you by microsoft/hve-core.
909SKILL.mdUpdated Apr 9, 2026
microsoft/secure-by-design
development
VerifiedTrustedCommunity
Secure by Design principles knowledge base for assessing adherence to security-first design, development, and deployment practices across the software lifecycle - Brought to you by microsoft/hve-core.
909SKILL.mdUpdated Apr 9, 2026
microsoft/owasp-top-10
development
VerifiedTrustedCommunity
OWASP Top 10 for Web Applications (2025) vulnerability knowledge base for identifying, assessing, and remediating security risks in web application environments - Brought to you by microsoft/hve-core.
909SKILL.mdUpdated Apr 9, 2026