http_mcp_headers
Implements HTTP MCP header secret support for secure handling of GitHub Actions secrets in the copilot engine.
Install this skill
Security score
The http_mcp_headers skill was audited on Feb 12, 2026 and we found 11 security issues across 2 threat categories, including 6 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 15 | 1. Extract secrets from headers (e.g., `${{ secrets.DD_API_KEY }}`) |
Template literal with variable interpolation in command context
| 22 | ```markdown |
Template literal with variable interpolation in command context
| 51 | ```json |
Template literal with variable interpolation in command context
| 80 | ```yaml |
Template literal with variable interpolation in command context
| 95 | - Parses `${{ secrets.VAR_NAME }}` patterns |
Template literal with variable interpolation in command context
| 96 | - Handles default values: `${{ secrets.VAR || 'default' }}` |
Template literal with variable interpolation in command context
| 105 | - Transforms `${{ secrets.DD_API_KEY }}` to `${DD_API_KEY}` |
Template literal with variable interpolation in command context
| 120 | 4. **Render env** with passthrough syntax (`\${VAR_NAME}`) |
Template literal with variable interpolation in command context
| 130 | 2. **Proper GitHub Actions secret handling** - Uses `${{ secrets.* }}` syntax |
External URL reference
| 31 | url: "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp" |
External URL reference
| 56 | "url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp", |