copilot-cli-mcp-config
Manages GitHub Copilot CLI MCP server configurations using mcp-config.json for seamless integration and server management.
Install this skill
Security score
The copilot-cli-mcp-config skill was audited on May 12, 2026 and we found 23 security issues across 3 threat categories, including 5 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 74 | ```json |
Template literal with variable interpolation in command context
| 101 | ```json |
Template literal with variable interpolation in command context
| 154 | Use `${VAR_NAME}` syntax for variable substitution: |
Template literal with variable interpolation in command context
| 156 | ```json |
Template literal with variable interpolation in command context
| 181 | | **Env vars** | Supports `inputs` and `envFile` | Only `env` object with `${VAR}` syntax | |
Template literal with variable interpolation in command context
| 183 | | **Variable syntax** | Can use `inputs` references | Must use `${VARIABLE}` syntax | |
Template literal with variable interpolation in command context
| 187 | ```json |
Template literal with variable interpolation in command context
| 204 | ```json |
Template literal with variable interpolation in command context
| 237 | ```json |
Template literal with variable interpolation in command context
| 265 | ```json |
Template literal with variable interpolation in command context
| 307 | - Ensure using `${VAR_NAME}` syntax (not `$VAR_NAME`) |
Template literal with variable interpolation in command context
| 322 | 3. Replace `inputs` with `env` and use `${VAR}` syntax |
Access to hidden dotfiles in home directory
| 3 | description: Manage GitHub Copilot CLI MCP server configuration, including ~/.copilot/mcp-config.json, COPILOT_HOME or --config-dir, project-level .mcp.json/.github/mcp.json/.vscode/mcp.json, /mcp com |
Access to hidden dotfiles in home directory
| 15 | **Default**: `~/.copilot/mcp-config.json` |
Access to hidden dotfiles in home directory
| 21 | 3. Default `~/.copilot/` |
Access to hidden dotfiles in home directory
| 27 | **Additional config at runtime**: `--additional-mcp-config` augments `~/.copilot/mcp-config.json` for the current session only. It is repeatable, and accepts either a JSON string or a file path prefix |
Access to hidden dotfiles in home directory
| 182 | | **Location** | `.vscode/mcp.json` or global settings | `~/.copilot/mcp-config.json` (or `$COPILOT_HOME/mcp-config.json`) | |
Access to hidden dotfiles in home directory
| 231 | Local `stdio`/`local` MCP servers **cannot** be declared per-agent — they must be configured globally in `~/.copilot/mcp-config.json`. |
Access to hidden dotfiles in home directory
| 303 | - Check logs in `~/.copilot/logs/` (or `$COPILOT_HOME/logs/` if overridden) |
Access to hidden dotfiles in home directory
| 328 | **Personal configuration**: Default `~/.copilot/mcp-config.json` |
External URL reference
| 106 | "url": "https://api.githubcopilot.com/mcp/readonly", |
External URL reference
| 227 | url: https://example.com/mcp |
External URL reference
| 248 | "url": "https://api.githubcopilot.com/mcp/readonly", |