Improve agent-security MCP connector boundary review

[wowsofine]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: agent-security
Skill path: skills/ai-security/agent-security/

What Was Wrong

The skill already reviewed tool permission models, least privilege, HITL gates, blast radius, audit trails, rollback, and multi-agent trust boundaries, but MCP/SaaS connector authorization was only mentioned as context to gather. It did not give reviewers a concrete checklist for connector manifests, delegated OAuth scopes, consent provenance, remote MCP server trust, token lifecycle, or tool schema drift.

What This PR Fixes

This PR adds a focused MCP / connector security review section to agent-security that covers:

• Connector manifest inventory and ownership
• OAuth scope minimization for delegated connector access
• Resource/audience binding for connector tokens
• Consent provenance and approval evidence
• Token lifecycle and revocation propagation
• Remote MCP server trust and tool schema drift
• Cross-connector aggregation risk where one workflow can read sensitive data and send it externally

It also adds an MCP / Connector Boundary Inventory table to the output format and references MCP Authorization plus OAuth RFCs 9700, 8707, and 9728.

Evidence

Before (skill misses this):

An agent has a narrow local tool registry, but it connects to a remote MCP server whose manifest can expose new write/send tools, and the connector uses a broad OAuth token approved months earlier. The existing review flow asks for MCP server configs as context, but does not guide reviewers to verify connector ownership, scopes, consent provenance, resource binding, schema drift, or revocation propagation.

After (now correctly handled):

The new MCP and Connector Security Review section asks reviewers to inspect connector manifests, OAuth grants, protected resource / tenant binding, consent records, token broker behavior, remote tool schema changes, and cross-connector aggregation paths. It also defines Critical/High/Medium finding conditions for overbroad connector tokens, remote MCP tool drift, missing consent provenance, missing resource binding, and stale cached credentials.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing checks still pass

No standalone test fixture exists for this markdown-only skill. I verified the change with frontmatter validation, prompt-injection pattern scan, git diff --check, and content marker checks.

Bounty Tier

• Minor ($50) — Doc update, small logic tweak, typo fix
• Moderate ($100) — New edge case coverage, FP reduction with evidence
• Substantial ($150) — Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors

Framework References

• MCP Authorization Specification: https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization
• RFC 9700: Best Current Practice for OAuth 2.0 Security
• RFC 8707: Resource Indicators for OAuth 2.0
• RFC 9728: OAuth 2.0 Protected Resource Metadata

Testing

• git diff --check
• Frontmatter field validation matching .github/workflows/lint-skills.yml
• Prompt injection pattern scan matching .github/workflows/injection-scan.yml
• Content marker check for the new MCP / connector review section and references
• Tested with Codex reviewing this skill file as a defensive architecture checklist update