feat(skill): introduce owasp-ml

[JasonTheDeveloper]

Pull Request

Description

In alignment with phase 2 discussed in #480 (comment), this PR introduces the OWASP ML Top 10 skill to hve-core and the security reviewer agent.

Related Issue(s)

Closes #1205

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Testing

To be able to test the owasp-ml skill using the security reviewer agent you will need a repository containing a mcp code (not configurations).

1. Either select the Security Reviewer agent or invoke the agent via the /security-revew instruction
2. Use the following prompt analyse the code and produce a vulnerability report
   • If you are testing to see if the codebase-profiler.agent.md picks up that the repository contains mcp and thus uses the owasp-ml skill then that's all you need.
   • If you only want to test the owasp-ml is used, in your prompt add targetSkill=owasp-ml

You should see in the output report the owasp-ml skill being referenced and used.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.62%. Comparing base (07bd2ab) to head (988e0b9).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1227      +/-   ##
==========================================
- Coverage   87.63%   87.62%   -0.02%     
==========================================
  Files          61       61              
  Lines        9328     9328              
==========================================
- Hits         8175     8174       -1     
- Misses       1153     1154       +1     

Flag	Coverage Δ
pester	85.18% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[WilliamBerryiii]

@JasonTheDeveloper - how do you anticipate this particular skill is used? I get the other ones for review and evaluation of existing code and for reviews of PRs, but this feels more like a planning setup. My concern with planning is that skills tend to not be great for overview/breadth needs of planning vs deep task specific work where skills tend to excel.

[JasonTheDeveloper]

@WilliamBerryiii I was thinking this skill in particular would help data scientists as they're writing notebooks, for example to train and utilise models. I do see where you're coming from. Although I believe the utilisation of this skill in particular would be a lot lower than others, I felt it might still be relevant. Happy to abandon the PR if you feel it's not necessary.

[WilliamBerryiii]

To the other maintainers ... I'm still thinking through how we provide this capability into the ecosystem. I am of the opinion that it probably makes the most sense as a "planner" system, like SSSC, RAI, and Security (and the forthcoming "accessibility" one). @C-Neisinger ... would also appreciate some input from you on this one.