技能详情(站内镜像,无评论)
作者:Daniel Lummis @daniellummis
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 166 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :良性
Package:daniellummis/github-actions-oidc-hardening-audit
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's files, runtime instructions, and requested binaries align with a local static audit of GitHub Actions workflows; it doesn't request credentials or install external code.
目的
The name/description match the included script and fixtures. Required binaries (bash, python3) are appropriate for running the provided shell+Python scanner. No unrelated credentials, config paths, or network installs are requested.
说明范围
SKILL.md and the script limit actions to scanning workflow YAML files and printing a report. The tool reads files matched by WORKFLOW_GLOB (default .github/workflows/*.y*ml) and supports arbitrary globs/regex, so a user-provided pattern could cause it to read other files on disk — this is expected for a scanner but worth noting.
安装机制
Instruction-only skill with bundled script; there is no network download or package install. Nothing is written to disk beyond running the existing script, so install risk is low.
证书
No environment variables or secrets are required. The script inspects workflow files for secret references but does not access or require those secrets, nor does it send data externally.
持久
always is false and the skill does not request persistent/system-wide privileges or modify other skills. It runs locally and does not automatically persist configuration.
综合结论
This skill appears coherent for a local static audit of GitHub Actions workflows. Before installing/running: (1) review the included script (scripts/oidc-hardening-audit.sh) if you want to confirm behavior; (2) be deliberate about WORKFLOW_GLOB / WORKFLOW_FILE_MATCH values — the script will read any files those patterns match; (3) running with FAIL_ON_CRITICAL=1 will exit non-zero (useful in CI but will fail pipelines if findings meet the thre…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「GitHub Actions OIDC Hardening Audit」。简介:Audit GitHub Actions cloud auth workflows for OIDC hardening gaps like missing …。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/daniellummis/github-actions-oidc-hardening-audit/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: github-actions-oidc-hardening-audit
description: Audit GitHub Actions cloud auth workflows for OIDC hardening gaps like missing id-token write permissions, static cloud secrets, and floating auth action refs.
version: 1.0.0
metadata: {"openclaw":{"requires":{"bins":["bash","python3"]}}}
---
# GitHub Actions OIDC Hardening Audit
Use this skill to catch risky cloud-auth patterns in workflow YAML before they become identity or secret exposure incidents.
## What this skill does
- Scans workflow YAML files (`.github/workflows/*.yml` by default)
- Detects AWS/GCP/Azure auth action usage:
- `aws-actions/configure-aws-credentials`
- `google-github-actions/auth`
- `azure/login`
- Flags workflows that use cloud auth actions but miss `permissions.id-token: write`
- Flags AWS auth usage without `role-to-assume`
- Flags likely static cloud credential usage (`aws-access-key-id`, `aws-secret-access-key`, cloud credential secrets)
- Flags floating auth action refs (`@main`, `@master`, `@v1`) unless allow-listed
- Supports text/json output and CI fail gate
## Inputs
Optional:
- `WORKFLOW_GLOB` (default: `.github/workflows/*.y*ml`)
- `TOP_N` (default: `20`)
- `OUTPUT_FORMAT` (`text` or `json`, default: `text`)
- `WARN_SCORE` (default: `3`)
- `CRITICAL_SCORE` (default: `7`)
- `WORKFLOW_FILE_MATCH` / `WORKFLOW_FILE_EXCLUDE` (regex, optional)
- `ALLOW_REF_REGEX` (regex, optional) — allow-listed action refs
- `FAIL_ON_CRITICAL` (`0` or `1`, default: `0`)
## Run
Text report:
```bash
WORKFLOW_GLOB='.github/workflows/*.yml'
WARN_SCORE=3
CRITICAL_SCORE=7
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh
```
JSON output + fail gate:
```bash
WORKFLOW_GLOB='.github/workflows/*.y*ml'
OUTPUT_FORMAT=json
FAIL_ON_CRITICAL=1
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh
```
Run against bundled fixtures:
```bash
WORKFLOW_GLOB='skills/github-actions-oidc-hardening-audit/fixtures/*.y*ml'
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh
```
## Output contract
- Exit `0` in reporting mode (default)
- Exit `1` when `FAIL_ON_CRITICAL=1` and one or more workflows are critical
- Text mode prints summary + top risky workflows
- JSON mode prints summary + flagged workflows + critical workflows