copilot-sdk

skills-sh:github_awesome-copilot__copilot-sdk

View source

100/100

First Seen

Feb 20, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 3

Findings (3)

LOW

pip install arbitrary package EXTDL_009

external-download L32

Detects pip install of arbitrary packages that modify the host environment

pip install gi

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L542

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://api.githubcopilot.com/mcp/"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Mutable GitHub raw content reference THIRDPARTY_002

third-party-content L855

Detects references to raw.githubusercontent.com on mutable branches like main/master

github.com/github/copilot-sdk/blob/main/docs/tutorials/first-app.md

FIX

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

FP?

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.