by VikashLoomba
A VSCode extension that lets you find and install Agent Skills and MCP Apps to use with GitHub Copilot, Claude Code, and Codex CLI.
# Add to your Claude Code skills
git clone https://github.com/VikashLoomba/copilot-mcpLast scanned: 5/16/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@protobufjs/utf8: protobufjs has overlong UTF-8 decoding",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@vscode/test-cli: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "axios: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"severity": "high"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "diff: jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"severity": "low"
},
{
"type": "npm-audit",
"message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
"severity": "high"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "mocha: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "protobufjs: Arbitrary code execution in protobufjs",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "serialize-javascript: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"severity": "high"
},
{
"type": "npm-audit",
"message": "simple-git: simple-git Affected by Command Execution via Option-Parsing Bypass",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "underscore: Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"severity": "high"
},
{
"type": "npm-audit",
"message": "undici: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
"severity": "high"
}
],
"status": "FAILED",
"scannedAt": "2026-05-16T06:23:26.964Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}copilot-mcp is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by VikashLoomba. A VSCode extension that lets you find and install Agent Skills and MCP Apps to use with GitHub Copilot, Claude Code, and Codex CLI. It has 498 GitHub stars.
copilot-mcp failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/VikashLoomba/copilot-mcp" and add it to your Claude Code skills directory (see the Installation section above).
copilot-mcp is primarily written in TypeScript. It is open-source under VikashLoomba on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh copilot-mcp against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
Want remote MCP in ~30s? Try Cloud MCP — paste a URL → OAuth → done.
Works with Copilot & Claude (no keys, no terminal).
Get started at cloudmcp.run
A powerful VS Code extension that lets you discover, install, and manage open‑source MCP servers and agent skills from one place.
skills.sh and install to your agentsIf you don’t want to run servers locally, use Cloud MCP (remote, OAuth‑only).
Paste the MCP URL into Copilot/Claude and you’re done:
Configure via the UI or VS Code settings. Look for the MCP Servers icon in the Activity Bar.
Tip: When a server supports
npx/uvx, the Server Discovery panel shows a “Deploy via Cloud MCP” option so you can run it remotely without installing anything.
Copilot MCP collects a small set of anonymous usage events — searches, install attempts, and clicks on in-extension links/CTAs — so we can understand which features are useful.
@mcp chat prompts, truncated to 100 characters), public GitHub repository names/URLs and skill source locators for items you search for or act on, your OS platform/architecture and the extension version, and error messages/diagnostics (truncated) when something fails.telemetry.telemetryLevel setting. If you have disabled telemetry in VS Code, the extension sends nothing.To opt out, set telemetry.telemetryLevel to off in your VS Code settings.
This repo vendors an upstream Copilot provider from anomalyco/opencode under:
vendor/opencode-copilot/src/**Sync it with:
npm run sync:copilot-provider
Check drift without writing files:
npm run sync:copilot-provider:check
Automated daily sync PRs are created by:
.github/workflows/sync-opencode-copilot.ymlPRs and feature requests welcome! See issues.
Vikash Loomba
Website: https://cloudmcp.run
X: @DevAutomata
GitHub: @vikashloomba
GPL‑3.0 — see LICENSE.
Part of the MCP Client Ecosystem