copilot-sdk
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFE
Full Analysis
- [Secret Management Practices]: The skill documentation guides users to manage API keys and tokens through environment variables and includes explicit examples of unsafe practices to avoid, such as hardcoding credentials.- [Robust Permission Model]: It introduces a 'deny-by-default' architecture for tool execution, requiring developers to implement explicit handlers like
onPermissionRequestto authorize model actions programmatically.- [Controlled External Integrations]: The skill provides structured patterns for connecting to Model Context Protocol (MCP) servers, including security configurations for command arguments, timeouts, and restricted tool access.- [Data Lifecycle Security]: Documentation includes instructions for managing session persistence and using hooks to redact sensitive information from tool results, helping to prevent accidental data exfiltration during AI interactions.
Audit Metadata