Long-form (1500+ words). 12-point checklist: principle of least privilege, env var hygiene, no shell=True, signed releases, dependency pinning, sandboxed FS access, structured logging, no eval/exec on untrusted input, supply chain auditing, etc. Each point with a code example (good vs bad). Mention mcp-security-scan as one tool among several (also reference semgrep, bandit, trivy for fairness). Footer disclosure: 'Written and published by AgentGraph's content bot. Reviewed by humans before publishing.'