技能详情(站内镜像,无评论)
作者:Daniel Lummis @daniellummis
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 155 · 1 current installs · 1 all-time installs
⭐ 0
安装量(当前) 1
🛡 VirusTotal :良性 · OpenClaw :良性
Package:daniellummis/github-actions-cache-hardening-audit
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's code and runtime instructions are consistent with its stated purpose (statically auditing GitHub Actions workflow cache usage) and do not request unrelated credentials, network access, or unusual installs.
目的
Name/description align with the included Bash+Python script which scans .github/workflows YAML files for cache-related anti-patterns. Required binaries (bash, python3) are exactly what the script needs. No unrelated credentials, binaries, or install steps are requested.
说明范围
SKILL.md instructs running the bundled script against workflow files (default .github/workflows/*.y*ml). The script only reads files matched by the provided glob, parses them for specific patterns, and emits text or JSON. It does not call external network endpoints, does not access environment variables beyond those declared, and does not exfiltrate data. Note: because it reads repository files, running it in a context with broader filesystem …
安装机制
There is no install spec; this is instruction-only with a bundled script. That minimizes risk since nothing is downloaded or written to disk beyond the existing skill files.
证书
The skill requires no environment variables or credentials. The optional runtime inputs (WORKFLOW_GLOB, OUTPUT_FORMAT, etc.) are reasonable for a static analysis tool and do not request secrets or unrelated access.
持久
always:false and no behavior that modifies agent/system configuration. The skill does not attempt to persist credentials or change other skills. Autonomous invocation is allowed by default but is not combined with other concerning behaviors.
综合结论
This skill appears to be what it claims: a static linter for GitHub Actions cache usage. Before running it, review the script (already bundled) and run it against a restricted glob (default .github/workflows/*.y*ml) or against included fixtures to confirm output. It reads files matched by the glob—so avoid pointing it at broader globs if you don't want unrelated files scanned. There's no network exfiltration or credential access in the code, a…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「GitHub Actions Cache Hardening Audit」。简介:Audit GitHub Actions workflow cache usage for poisoning, keying, and secret-pat…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/daniellummis/github-actions-cache-hardening-audit/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: github-actions-cache-hardening-audit
description: Audit GitHub Actions workflow cache usage for poisoning, keying, and secret-path risks.
version: 1.0.0
metadata: {"openclaw":{"requires":{"bins":["bash","python3"]}}}
---
# GitHub Actions Cache Hardening Audit
Use this skill to statically audit `.github/workflows/*.yml` for risky cache patterns that can cause cache poisoning, stale cache churn, or secret leakage.
## What this skill checks
- `actions/cache` usage on untrusted triggers (`pull_request_target`)
- Cache keys that do not use `hashFiles(...)`
- Overly broad `restore-keys` prefixes
- Sensitive paths accidentally included in cache paths (`.aws`, `.ssh`, `.npmrc`, `.git`)
- Floating cache action refs (`@main`, `@master`)
## Inputs
Optional:
- `WORKFLOW_GLOB` (default: `.github/workflows/*.y*ml`)
- `TOP_N` (default: `20`)
- `OUTPUT_FORMAT` (`text` or `json`, default: `text`)
- `WARN_SCORE` (default: `3`)
- `CRITICAL_SCORE` (default: `6`)
- `WORKFLOW_FILE_MATCH` (regex, optional)
- `WORKFLOW_FILE_EXCLUDE` (regex, optional)
- `FAIL_ON_CRITICAL` (`0` or `1`, default: `0`)
## Run
Text report:
```bash
WORKFLOW_GLOB='.github/workflows/*.yml'
bash skills/github-actions-cache-hardening-audit/scripts/cache-hardening-audit.sh
```
JSON output + fail gate:
```bash
WORKFLOW_GLOB='.github/workflows/*.yml'
OUTPUT_FORMAT=json
FAIL_ON_CRITICAL=1
bash skills/github-actions-cache-hardening-audit/scripts/cache-hardening-audit.sh
```
Run against bundled fixtures:
```bash
WORKFLOW_GLOB='skills/github-actions-cache-hardening-audit/fixtures/*.yml'
bash skills/github-actions-cache-hardening-audit/scripts/cache-hardening-audit.sh
```
## Output contract
- Exit `0` by default (report mode)
- Exit `1` when `FAIL_ON_CRITICAL=1` and at least one critical workflow is detected
- Text mode prints a summary and top flagged workflows
- JSON mode emits `summary`, `flagged_workflows`, and `critical_workflows`