docs(owasp): add third-party attributions to owasp-infrastructure and owasp-mcp

[MukundaKatta]

Pull Request

Description

owasp-infrastructure and owasp-mcp were the only OWASP skills in this repo that still lacked the Third-Party Attribution section and the OWASP trademark marker already used by owasp-top-10 and owasp-agentic. This PR brings those two skills and their reference files up to the same attribution standard.

Changes included in this PR:

• Add OWASP® to the affected skill titles and introductory framework references.
• Add a ## Third-Party Attribution section to both skill SKILL.md files using the same pattern already established elsewhere in the repo.
• Append matching attribution blocks to the related reference files so the per-reference footer structure is consistent across all OWASP skills.

No vulnerability guidance or remediation content is changed by this PR.

Related Issue(s)

Closes #1325.

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

Review a change for OWASP infrastructure or MCP risks and cite the relevant framework guidance from the built-in security skills.

Execution Flow:

The skill resolver loads the updated OWASP skill metadata and references, including the new attribution/trademark text, while preserving the existing security guidance content.

Output Artifacts:

No new user-facing artifacts are created. The updated repository artifacts are the touched OWASP SKILL.md files and their reference markdown files.

Success Indicators:

The affected OWASP skill files match the attribution structure already used by the sibling OWASP skills, and the reference files retain the expected footer ordering.

For detailed contribution requirements, see:

• Common Standards: docs/contributing/ai-artifacts-common.md - Shared standards for XML blocks, markdown quality, RFC 2119, validation, and testing
• Agents: docs/contributing/custom-agents.md - Agent configurations with tools and behavior patterns
• Prompts: docs/contributing/prompts.md - Workflow-specific guidance with template variables
• Instructions: docs/contributing/instructions.md - Technology-specific standards with glob patterns
• Skills: docs/contributing/skills.md - Task execution utilities with cross-platform scripts

Testing

• Compared the edited skill/reference footers against the existing owasp-top-10 and owasp-agentic patterns.
• Ran targeted markdown linting expectations against the touched files, noting that .github/skills/** is already excluded by repo configuration.
• Grepped for OWASP Foundation and OWASP® before and after to confirm the new attribution/trademark coverage matches the intended locations.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate
• Docusaurus tests: npm run docs:test

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

• This keeps the original attribution rationale and verification notes, but moves them into the repository's PR template.
• The change is limited to attribution/trademark consistency and does not modify framework guidance.

[katriendg]

@WilliamBerryiii with changes coming via overall RAI related overhaul, I believe this one because stale?

[chaosdinosaur]

Clean attribution PR — the Third-Party Attribution sections, H1 trademark markers, and all 22 per-reference CC-BY-SA-4.0 footer blocks match the established sibling pattern exactly. One minor convention nit on body paragraph trademark usage noted inline.

[chaosdinosaur]

Nit: All five sibling OWASP skills (owasp-top-10, owasp-agentic, owasp-llm, owasp-docker, owasp-cicd) use plain OWASP (no ®) in the body paragraph, reserving ® for the H1 title and the Third-Party Attribution section. This line and the equivalent in owasp-mcp/SKILL.md line 19 introduce OWASP® in the body paragraph, which breaks the convention.

Suggested change

	The skill encodes the **OWASP® Infrastructure Security Top 10 (2024)** as structured,
	The skill encodes the **OWASP Infrastructure Security Top 10 (2024)** as structured,