Files
ai-workflow-course/modules/22-securing-third-party-mcp-and-skills/lab
claude f925fd9645 fix(M7-27+capstone): apply AI-drives-git reframe, lesson=theory, de-slop course-wide
Phase 2 sweep — all modules are post-pivot, so the learner directs the AI agent
(Claude Code as the worked example) to do the git/setup work and verifies, instead
of typing commands by hand; no re-teaching basics. Lesson sections are theory with
example output; all execution lives in the labs. De-slopped ("prose" etc. gone
course-wide, em-dash density thinned). /path/to placeholders -> ~/ai-workflow-course.

Every deliberate teaching device verified intact: M10 ai-change.patch trap,
M12 bad-clear-snippet, M13/M27 planted pending_count bug, M15 secret+typosquat+MD5,
M18 BREAK=1, M21 absent-.gitignore, M22 poisoned skill, M24 no-op patch, M25 --simulate.
Labs compile/parse (py/sh/yaml/json); no junk.

Closes #83
Closes #86
Closes #89

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
2026-06-22 21:58:17 -04:00
..

Module 22 lab files

Run the lab from the module README. Quick map of what's here:

  • audit.sh — the runnable vetting checklist. bash audit.sh <dir> statically scans a skill or MCP server for red flags (network egress, secret/env reads, shell-out, obfuscation, broad FS access, hidden/injected instructions, zero-width characters). It only reads; it never executes the target.
  • suspicious-skill/ — the audit TARGET for Part A. A deliberately malicious "export tasks to Notion" skill (SKILL.md + tools/sync.py). Do not install it or run sync.py against real credentials — it exfiltrates your environment and local secrets. The point is to catch it first.
  • poisoned-task.txt — the prompt-injection payload for Part B. A real-looking task with an injected "system" directive underneath, to add to the Module 1 tasks-app and feed to your AI.

Expected result of Part A:

bash audit.sh suspicious-skill   # exits non-zero, verdict: REJECT