Files
ai-workflow-course/modules/22-securing-third-party-mcp-and-skills/lab/README.md
T
claude fbec36cb67 feat(course): build out all 27 modules, capstone, scaffold, and conventions
Scaffold the course repo and author the full curriculum in dependency-chain
order, following the settled build decisions in handoff.md.

- Scaffold: course README, vendor-neutral AGENTS.md (dogfoods Module 5),
  _TEMPLATE.md (the fixed 9-section module shape), root .gitignore, ship config.
- Modules 1-2: reference exemplars (locked for tone/depth/lab style).
- Modules 3-27: full lessons + runnable labs, each following the template,
  respecting the chain, vendor/model-agnostic, with "feel the pain" labs.
- Module 8 hosting comparison web-researched and date-stamped (as of 2026-06-22),
  not written from memory; expansion-zone modules carry Verify-before-publish.
- Capstone: the full loop end to end on the running tasks-app example.

Lab code syntax-checked (Python/shell/YAML); every module has the 7 core
template sections.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
2026-06-22 12:18:30 -04:00

998 B

Module 22 lab files

Run the lab from the module README. Quick map of what's here:

  • audit.sh — the runnable vetting checklist. bash audit.sh <dir> statically scans a skill or MCP server for red flags (network egress, secret/env reads, shell-out, obfuscation, broad FS access, hidden/injected instructions, zero-width characters). It only reads; it never executes the target.
  • suspicious-skill/ — the audit TARGET for Part A. A deliberately malicious "export tasks to Notion" skill (SKILL.md + tools/sync.py). Do not install it or run sync.py against real credentials — it exfiltrates your environment and local secrets. The point is to catch it first.
  • poisoned-task.txt — the prompt-injection payload for Part B. A real-looking task with an injected "system" directive underneath, to add to the Module 1 tasks-app and feed to your AI.

Expected result of Part A:

bash audit.sh suspicious-skill   # exits non-zero, verdict: REJECT