feat(skill): introduce owasp-mcp

[JasonTheDeveloper]

Pull Request

Description

In alignment with phase 2 discussed in #480 (comment), this PR introduces the OWASP MCP Top 10 skill to hve-core and the security reviewer agent.

Related Issue(s)

Closes #1204

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Testing

To be able to test the owasp-mcp skill using the security reviewer agent you will need a repository containing mcp code (not configurations).

1. Either select the Security Reviewer agent or invoke the agent via the /security-revew instruction
2. Use the following prompt analyse the code and produce a vulnerability report
   • If you are testing to see if the codebase-profiler.agent.md picks up that the repository contains mcp and thus uses the owasp-mcp skill then that's all you need.
   • If you only want to test the owasp-mcp is used, in your prompt add targetSkill=owasp-mcp

You should see in the output report the owasp-mcp skill being referenced and used.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.71%. Comparing base (84ddd5d) to head (4b537a4).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1207      +/-   ##
==========================================
- Coverage   87.72%   87.71%   -0.02%     
==========================================
  Files          61       61              
  Lines        9320     9320              
==========================================
- Hits         8176     8175       -1     
- Misses       1144     1145       +1     

Flag	Coverage Δ
pester	85.31% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[rezatnoMsirhC]

LGTM other than some minor consistency nitpicks. Thanks!

[rezatnoMsirhC]

I want to make a similar comment as below for collections/hve-core-all.collection.md, but it looks like collections/hve-core-all.collection.md doesn't have all of the skills listed here. Not sure if it was neglected when other skills were added here, or if it was intentionally not updated previously.

@WilliamBerryiii for visibility

[JasonTheDeveloper]

There might be a bug in one of the npm run commands. When you run npm run plugin:generate plugins/security/README.md is auto generated with everything defined in the *.collection.yml. Should collections/security.collection.md also be auto updated as well or is that the responsibility of the contributor to update?

If you don't specify a newly added skill within collections/hve-core-all.collection.yml for example, npm run plugin:generate will automatically update the yml for you. I'd probably expect the *.collection.md to also be auto updated as well.

[katriendg]

It may be a bit confusing indeed. The <collection>.md is manually edited, together with the <collection>.yml. The README in the plugin corresponding folder is constructed based on the <collection>.md file.
For the hve-core-all.collection.yml there is a different behavior which will update the file based on the contents of the other collections.

But it's a good point, you'd probably expect the collection.md file to be auto-generated. I think we should reflect if we have enough and maybe include a templating to allow for a header which is unique to the collection (which is something we need in some cases).

[JasonTheDeveloper]

It looks like hve-core-all.collection.yml is a bit out of date. It might be better to create a separate issue for it and raise another PR for it. What do you think @katriendg?

[WilliamBerryiii]

To be honest ... I also probably broke a bunch of stuff last night again with my hot fixes 🤣

@JasonTheDeveloper - yeah if you can get an issue filed I'd really appreciate it ❤️