Back to Course|AI Agent Orchestration Mastery: Build, Deploy & Sell Autonomous Systems

Lab

Build a Secure Agentic Workflow

35 min

Advanced

Unlimited free attempts

Instructions

In this lab, you will build a complete agentic workflow with security hardening. You will create five configuration files that together form a production-ready agent system: a security checklist, a custom skill, an MCP server configuration, scheduled cron jobs, and a SWIFT framework workflow document.

These files represent the real artifacts you would create when deploying an autonomous agent in a professional environment. Security is not an afterthought — it is built into every layer.

Architecture Overview

┌───────────────────────────────────────────────────────┐
│              Secure Agentic Workflow                   │
│                                                       │
│  ┌────────────────────┐  ┌────────────────────────┐   │
│  │ security-checklist  │  │ content-publisher-skill│   │
│  │ .yaml              │  │ .yaml                  │   │
│  │ (audit & harden)   │  │ (procedure skill)      │   │
│  └────────────────────┘  └────────────────────────┘   │
│                                                       │
│  ┌────────────────────┐  ┌────────────────────────┐   │
│  │ mcp-config.json    │  │ cron-schedule.yaml     │   │
│  │ (external tools)   │  │ (scheduled tasks)      │   │
│  └────────────────────┘  └────────────────────────┘   │
│                                                       │
│  ┌────────────────────────────────────────────────┐   │
│  │ swift-workflow.yaml                            │   │
│  │ (Setup → Workflow → Iterate → Formalize →     │   │
│  │  Trigger for a content creation pipeline)      │   │
│  └────────────────────────────────────────────────┘   │
└───────────────────────────────────────────────────────┘

Scenario

You are deploying an agent that manages a content creation and publishing pipeline for a tech blog. The agent needs to:

Research topics and draft blog posts
Publish content to the website after approval
Monitor published content analytics
Generate weekly performance reports
Integrate with external services (CMS, analytics, social media)

All five files should be consistent with this scenario. The security checklist protects this agent. The skill teaches it how to publish. The MCP config connects it to external services. The cron schedule automates recurring tasks. The SWIFT document formalizes the end-to-end content workflow.

Step 1: Security Checklist (security-checklist.yaml)

Create a comprehensive security audit checklist organized into 5 categories. Each category should contain specific checks with remediation steps.

Required Categories

1. Network Security — At least 3 checks covering:

Port exposure and firewall rules
SSH access restrictions
HTTPS enforcement for all agent communications

2. Messaging Security — At least 3 checks covering:

Allow lists for who can interact with the agent
Input sanitization against prompt injection
Rate limiting on outbound messages

3. Credential Management — At least 3 checks covering:

Environment variable usage (no hardcoded secrets)
Scoped API key permissions
Credential rotation schedule

4. Execution Security — At least 3 checks covering:

Sandboxed/containerized execution environment
Unprivileged user account (not root)
Action logging and audit trail

5. Skill Security — At least 3 checks covering:

Community skill review process before installation
Skill file scanning for malicious content
Permission boundaries for installed skills

Each check should have: check (what to verify), status (one of: pass, fail, not_checked), and remediation (how to fix if failing).

Step 2: Content Publisher Skill (content-publisher-skill.yaml)

Create a procedure skill that teaches the agent how to publish a blog post. This is a step-by-step workflow the agent follows when publishing content.

Include:

name: A descriptive skill name
type: procedure
description: One-line summary
triggers: At least 2 conditions that activate this skill
steps: At least 5 sequential steps, each with a name and instruction field. Cover the full publishing workflow:
1. Content validation (check title, body, images, metadata)
2. SEO optimization (title length, description, keywords)
3. Formatting and frontmatter generation
4. Review and approval gate (never publish without confirmation)
5. Publishing and confirmation
constraints: At least 4 rules defining what the skill must NOT do

Each step instruction should be detailed enough that the agent can follow it without ambiguity.

Step 3: MCP Server Configuration (mcp-config.json)

Create a valid JSON configuration that connects the agent to 3 MCP servers. Use the standard MCP configuration format with mcpServers as the top-level key.

Configure these three servers:

1. Filesystem Server — Gives the agent access to the blog content directory

Use the npx command pattern
Restrict access to a specific directory path
No API keys needed

2. GitHub Server — Lets the agent interact with the blog repository

Use the npx command pattern
Include a GITHUB_TOKEN environment variable
Include a GITHUB_REPO environment variable

3. Analytics Server — Connects to a web analytics service

Use the npx command pattern
Include an API key environment variable
Include a site ID environment variable

Each server must have: command, args (as an array), and env (where applicable). Use placeholder values for API keys (e.g., "your-github-token-here").

Step 4: Cron Schedule (cron-schedule.yaml)

Define 3 scheduled tasks that automate recurring agent work. For each task, include:

name: Descriptive task name
schedule: Valid cron expression (5-field format)
schedule_human: Human-readable description of when it runs
command: The agent CLI command that triggers the task
description: What the task does and why
log_file: Where to write output logs
error_handling: What to do if the task fails

Required Tasks

Daily Content Review — Runs every morning, checks for draft posts ready for review, validates formatting, and flags issues
Weekly Analytics Report — Runs once per week, gathers content performance metrics, generates a summary report, and delivers it
Hourly Health Monitor — Runs every hour, checks the blog website is responding, verifies recent deployments succeeded, and alerts on failures

Use valid cron syntax (e.g., 0 8 * * * for daily at 8 AM, 0 9 * * 1 for Mondays at 9 AM, 0 * * * * for every hour).

Step 5: SWIFT Workflow (swift-workflow.yaml)

Document a complete content creation workflow using the SWIFT framework. This file formalizes how the agent handles the end-to-end process of creating and publishing a blog post.

Include all five SWIFT phases:

S — Setup

goal: What is the desired outcome of this workflow?
data_sources: What does the agent need access to? (list at least 3)
required_tools: What MCP servers, skills, or services are needed? (list at least 3)
permissions: What access levels does the agent need? (list at least 3)

W — Workflow

steps: At least 6 sequential steps from topic research to post-publish monitoring. Each step should have a name and description.

I — Iterate

test_plan: At least 3 items describing how to test and validate the workflow
edge_cases: At least 3 edge cases to handle (e.g., API failure, empty analytics, missing images)

F — Formalize

name: Workflow name
description: One-line summary
version: Version number
last_updated: Date in YYYY-MM-DD format
constraints: At least 3 rules the workflow must always follow

T — Trigger

Define at least 3 trigger types (manual, scheduled, event-driven) with descriptions and examples for this specific workflow

What to Submit

The editor has 5 file sections with TODO comments. Replace each TODO with your configuration content. The AI grader will evaluate each section against the rubric.

Hints

The security checklist should have real, actionable checks — not vague guidelines
The content publisher skill should handle edge cases (what if the title is too long? what if there is no featured image?)
MCP config must be valid JSON — watch your commas, brackets, and quotes
Cron expressions use 5 fields: minute, hour, day-of-month, month, day-of-week
The SWIFT workflow should tell a complete story from start to finish — each phase builds on the previous one

Grading Rubric

security-checklist.yaml contains 5 named categories (network, messaging, credentials, execution, skills) with 3+ checks each. Every check has a check description, status field (pass/fail/not_checked), and a specific remediation step — not generic advice but actionable fixes relevant to an agent managing a content pipeline20 points

content-publisher-skill.yaml has name, type (procedure), description, triggers (2+), steps (5+ sequential steps each with name and detailed instruction covering validation, SEO, formatting, approval gate, and publishing), and constraints (4+ rules defining boundaries) — instructions are specific enough for an agent to follow without ambiguity20 points

mcp-config.json is valid JSON with a mcpServers object containing 3 server configurations (filesystem, github, analytics). Each server has command and args (array) fields. GitHub server has GITHUB_TOKEN and GITHUB_REPO env vars. Analytics server has API key and site ID env vars. Filesystem server restricts access to a specific directory path20 points

cron-schedule.yaml defines 3 tasks (daily content review, weekly analytics report, hourly health monitor) each with name, valid 5-field cron schedule expression, schedule_human description, agent CLI command, task description, log_file path, and error_handling strategy — cron expressions are syntactically correct15 points

swift-workflow.yaml covers all 5 SWIFT phases: Setup (goal, data_sources 3+, required_tools 3+, permissions 3+), Workflow (6+ named steps from research to post-publish monitoring), Iterate (test_plan 3+, edge_cases 3+), Formalize (name, description, version, last_updated date, constraints 3+), and Trigger (3+ types with descriptions and examples) — the phases form a coherent end-to-end content creation pipeline25 points

Checklist

0/5