Files
ai-workflow-course/modules/22-securing-third-party-mcp-and-skills/lab
justin 3221f7abe8
CI / check (pull_request) Successful in 7s
Use python3 as the canonical command name course-wide (#104)
Most current systems (default Debian/Ubuntu, recent macOS) install Python
only as `python3`, with no bare `python` on PATH, so learners who copied
`python cli.py ...` into their host shell hit "command not found".

Convert host-shell `python <cmd>` -> `python3 <cmd>` across module/lab
READMEs, lab `.py` docstrings & usage strings, blog posts, lab prompt and
instruction files, the M04 verify.sh message, and the M10/M24 lab patches.
Module 01's convention note (and its blog/02 mirror) is rewritten so
`python3` is canonical and `python` is the documented fallback.

Stop-lines respected: Docker image tags (`python:3.12-slim`), `.venv/.../python`
and `...\.venv\Scripts\python.exe` paths, the M20 `"command": "python"`
teaching example and surrounding venv prose, container-internal invocations
(M16/M18 Dockerfiles, M16 README `docker run` examples), and CI-workflow
`run:` steps fed by `actions/setup-python` / `image: python:3.12` are left
as `python` on purpose.

pip was left out of scope: most occurrences are prose or CI/container-internal,
and `pip3` does not fix the PEP 668 externally-managed-environment refusal that
the course already addresses with venvs. The M01 note is worded to stay
consistent with bare `pip` (use whichever pip pairs with your Python).

Build (tools/build_wiki.py) and tools/check.sh both pass.

Closes #104

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01GAEzanEoGJT5o1VizQar47
2026-06-23 20:18:04 -04:00
..

Module 22 lab files

Run the lab from the module README. Quick map of what's here:

  • audit.sh: the runnable vetting checklist. bash audit.sh <dir> statically scans a skill or MCP server for red flags (network egress, secret/env reads, shell-out, obfuscation, broad FS access, hidden/injected instructions, zero-width characters). It only reads; it never executes the target.
  • suspicious-skill/: the audit TARGET for Part A. A deliberately malicious "export tasks to Notion" skill (SKILL.md + tools/sync.py). Do not install it or run sync.py against real credentials; it exfiltrates your environment and local secrets. The point is to catch it first.
  • poisoned-task.txt: the prompt-injection payload for Part B. A real-looking task with an injected "system" directive underneath, to add to the Module 1 tasks-app and feed to your AI.

Expected result of Part A:

bash audit.sh suspicious-skill   # exits non-zero, verdict: REJECT