copilot-sdk
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references several software packages from official registries, including '@github/copilot-sdk' (NPM), 'github-copilot-sdk' (PyPI), and 'GitHub.Copilot.SDK' (NuGet). These packages are associated with GitHub, a well-known and trusted technology provider.
- [COMMAND_EXECUTION]: The documentation includes examples of Model Context Protocol (MCP) integration that utilize local command execution, such as using 'npx' to run the '@modelcontextprotocol/server-filesystem' package. This is a standard architectural pattern for AI agent tool extensions.
- [REMOTE_CODE_EXECUTION]: The skill demonstrates how to connect to remote MCP servers via HTTP endpoints (e.g., 'api.githubcopilot.com'). These references target official service domains and are consistent with the skill's stated purpose of building Copilot integrations.
- [CREDENTIALS_UNSAFE]: While the skill mentions the use of sensitive tokens (e.g., 'GITHUB_TOKEN', 'FOUNDRY_API_KEY'), it demonstrates best practices by advising users to manage these via environment variables or secure CLI authentication rather than hardcoding them.
Audit Metadata