Summary

Create the owasp-agentic skill under .github/skills/security/owasp-agentic/ providing detection checklists, severity guidance, and remediation patterns for the OWASP Top 10 for Agentic Applications 2026.

This skill is consumed by the security-reviewer agent (not user-invocable). Content is adapted from JasonTheDeveloper's owasp-skills agentic-vulnerabilities skill. Added to MVP because hve-core itself is an agentic application and the Agentic OWASP 2026 is the newest framework.

Acceptance Criteria

• .github/skills/security/owasp-agentic/SKILL.md exists with valid frontmatter
  • name: owasp-agentic matches directory name
  • description ends with - Brought to you by microsoft/hve-core
  • user-invocable: false
  • metadata.content_based_on references OWASP Agentic Top 10 2026 source URL
• references/ directory contains 11 files:
  • 00-vulnerability-index.md — summary table with all 10 agentic vulnerabilities
  • 10 individual vulnerability reference files (numbered 01- through 10-)
• Each reference file follows the 7-section pattern: Description → Risk → Vulnerability Checklist → Prevention Controls → Example Attacks → Detection Guidance → Remediation
• SKILL.md body references the vulnerability index and instructs the agent on how to traverse references
• npm run validate:skills passes for this skill

Content Source

Adapted from JasonTheDeveloper's owasp-skills agentic-vulnerabilities/ skill. Naming convention changed from agentic-vulnerabilities to owasp-agentic per Discussion #480 terminology.

Dependencies

• Depends on collection rename (chore(collections): rename security-planning collection to security #792) for directory path .github/skills/security/
• Can run in parallel with owasp-top-10 and owasp-llm skill issues