MCP and Agentic Skills Risk Coverage

What this is. This pack turns fresh MCP and agent-skill risk language into a reviewer-readable coverage artifact. It shows which SecurityRecipes evidence paths and MCP tools answer each OWASP MCP Top 10 and OWASP Agentic Skills Top 10 risk.

SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. That claim needs to cover both sides of the emerging control plane:

  • MCP and tools: how an agent discovers, authorizes, describes, invokes, and audits external tools.
  • Agentic skills: the behavior packages, rules, hooks, extensions, and workflow instructions that tell agents how to combine tools into real actions.

The MCP and Agentic Skills Risk Coverage Pack maps those two layers to existing SecurityRecipes artifacts. It is designed for platform teams, procurement reviewers, GRC, reviewers, and reviewers who need to know whether the project tracks the newest risks without reading the whole site.

Generated artifact

  • Source model: data/assurance/mcp-risk-coverage-profile.json
  • Generator:
  • Evidence pack: data/evidence/mcp-risk-coverage-pack.json
  • MCP tool: recipes_mcp_risk_coverage_pack

Regenerate and validate the pack:

Why this matters

MCP gives agents a common way to reach tools and context. Skills give agents reusable workflows for using those tools. Enterprise failure modes now cross both layers: a safe-looking tool can be poisoned, a safe looking skill can over-request authority, and a well-scoped context package can become unsafe when it is handed to a different agent, model, or runtime.

This pack makes that coverage explicit:

Risk surface SecurityRecipes evidence
MCP token, scope, and authorization failures MCP Authorization Conformance, Gateway Policy, Agent Identity Ledger, Entitlement Review
Tool poisoning and drift MCP Tool Risk Contract, MCP Tool Surface Drift Sentinel, Connector Intake, Context Poisoning Guard
Local server and command execution MCP STDIO Launch Boundary, Agent Skill Supply Chain, Action Runtime Pack
Shadow MCP servers Connector Intake, Connector Trust, STDIO Launch Boundary, Agentic System BOM
Context injection and over-sharing Secure Context Trust Pack, Context Poisoning Guard, Context Egress Boundary, Memory Boundary, Handoff Boundary
Malicious or over-privileged skills Agent Skill Supply Chain, Gateway Policy, Identity Ledger, Entitlement Review, Action Runtime Pack
Skill isolation, scanning, and update drift Browser Agent Boundary, Measurement Probes, Red-Team Drills, Tool Surface Drift
Governance and trust review evidence Enterprise Trust Center Export, Agentic System BOM, Telemetry Contract, Run Receipts

MCP examples

Get the full coverage summary:

{}

Inspect one risk:

{
  "risk_id": "MCP03"
}

Inspect one standard:

{
  "standard_id": "owasp-agentic-skills-top-10-2026"
}

Find every risk covered by one capability:

{
  "capability_id": "agent-skill-supply-chain-pack"
}

Filter for critical risks:

{
  "risk_tier": "critical"
}

Readiness gate

The open pack proves that SecurityRecipes understands the current MCP and skills risk landscape. The trusted-source layer is the natural hosted version of those controls:

  • live MCP connector discovery and admission,
  • tool-surface and annotation drift monitoring,
  • skill registry scanning and permission review,
  • endpoint launch policy for local MCP servers,
  • hosted action firewall APIs,
  • signed run and approval receipts,
  • telemetry redaction validation,
  • customer-private trust-center exports.

That is the path from useful public knowledge to a production control plane a frontier lab, AI coding platform, cloud provider, or security vendor could buy.

Source anchors

Review and regenerate the pack when these sources change:

See also