技能详情(站内镜像,无评论)
作者:Daniel Lummis @daniellummis
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 141 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :良性
Package:daniellummis/github-actions-permission-scope-audit
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's code, instructions, and requirements are coherent with its stated purpose (auditing GitHub Actions workflow permission scopes); it reads local workflow YAML files and emits text/JSON reports and does not request credentials, network access, or unusual system privileges.
目的
Name/description match the shipped script and fixtures. Declared required binaries (bash, python3) are exactly what the SKILL.md and scripts use. No unrelated credentials, config paths, or binaries are requested.
说明范围
SKILL.md instructs the agent to read workflow YAML files, run the bundled shell script, and optionally set environment flags; the script only reads files matched by WORKFLOW_GLOB, extracts events/permission lines via regex, scores findings, and prints text/JSON. It does not send data externally, read unrelated system config, or access secrets.
安装机制
This is an instruction-only skill with no install spec; the only shipped code is a shell script and fixtures. Nothing is downloaded or extracted from external URLs.
证书
No required environment variables or credentials are declared; optional ENV inputs are for filtering/reporting and are appropriate for the task. The script does not attempt to read additional env vars or secret files.
持久
Skill does not request permanent presence (always:false) or modify other skills or system-wide settings. It runs on demand and has no privileged persistence behavior.
综合结论
This skill appears to do exactly what it claims: scan your repository's .github/workflows YAML files for broad GITHUB_TOKEN permissions and emit a ranked report. Before installing/running: (1) review the bundled script if you have strict security controls — it parses YAML using regex rather than a YAML parser so it may mis-detect unusual formatting; (2) run it in the repository root (or set WORKFLOW_GLOB) because it only reads files matched by…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「GitHub Actions Permission Scope Audit」。简介:Audit GitHub Actions workflow permission scope drift to enforce least-privilege…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/daniellummis/github-actions-permission-scope-audit/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: github-actions-permission-scope-audit
description: Audit GitHub Actions workflow permission scope drift to enforce least-privilege token access.
version: 1.0.0
metadata: {"openclaw":{"requires":{"bins":["bash","python3"]}}}
---
# GitHub Actions Permission Scope Audit
Use this skill to detect over-broad `GITHUB_TOKEN` permissions and scope drift across GitHub Actions workflows.
## What this skill does
- Reads workflow YAML files
- Detects explicit broad permission grants (`write-all`, `contents: write`, etc.)
- Flags risky patterns like `pull_request_target` workflows with write permissions
- Identifies workflows with no explicit `permissions` policy
- Emits text or JSON for CI triage and policy gates
## Inputs
Optional:
- `WORKFLOW_GLOB` (default: `.github/workflows/*.y*ml`)
- `TOP_N` (default: `20`)
- `OUTPUT_FORMAT` (`text` or `json`, default: `text`)
- `WARN_SCORE` (default: `2`)
- `CRITICAL_SCORE` (default: `5`)
- `FLAG_MISSING_PERMISSIONS` (`0` or `1`, default: `1`)
- `FLAG_WRITE_ALL` (`0` or `1`, default: `1`)
- `FLAG_WRITE_SCOPES` (`0` or `1`, default: `1`)
- `WORKFLOW_FILE_MATCH` / `WORKFLOW_FILE_EXCLUDE` (regex, optional)
- `EVENT_MATCH` / `EVENT_EXCLUDE` (regex, optional)
- `PERMISSION_MATCH` / `PERMISSION_EXCLUDE` (regex, optional)
- `FAIL_ON_CRITICAL` (`0` or `1`, default: `0`)
## Run
Text report:
```bash
WORKFLOW_GLOB='.github/workflows/*.yml'
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
```
JSON output + fail gate:
```bash
WORKFLOW_GLOB='.github/workflows/*.yml'
OUTPUT_FORMAT=json
FAIL_ON_CRITICAL=1
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
```
Run against bundled fixtures:
```bash
WORKFLOW_GLOB='skills/github-actions-permission-scope-audit/fixtures/*.yml'
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
```
## Output contract
- Exit `0` in report mode (default)
- Exit `1` when `FAIL_ON_CRITICAL=1` and one or more workflows are critical
- Text mode prints summary + ranked workflows
- JSON mode prints summary + ranked workflows + critical workflows