技能详情(站内镜像,无评论)
作者:Daniel Lummis @daniellummis
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 160 · 1 current installs · 1 all-time installs
⭐ 0
安装量(当前) 1
🛡 VirusTotal :良性 · OpenClaw :良性
Package:daniellummis/github-actions-secret-exposure-audit
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's code, instructions, and requirements are consistent with an offline static audit of GitHub Actions workflow YAML files and do not request unrelated credentials or perform network/exfiltration actions.
目的
Name/description match the shipped files and runtime needs: a shell wrapper plus a Python script that scans workflow YAMLs. Required binaries (bash, python3) are appropriate for the implementation and purpose.
说明范围
SKILL.md and the script stick to scanning files matched by WORKFLOW_GLOB and reporting findings. The script reads files from disk (user-specified glob) and does not call external endpoints or attempt to read unrelated environment variables. Note: because WORKFLOW_GLOB is user-controlled, running the skill with a broad glob could cause it to read arbitrary files on disk — this is expected behavior for a file-scanning tool but is something to be…
安装机制
No install spec; instruction-only with bundled script. Nothing is downloaded or written to disk by an installer.
证书
The skill requires no secret environment variables or credentials. The environment variables it uses (WORKFLOW_GLOB, OUTPUT_FORMAT, thresholds, regex filters) are appropriate configuration knobs for a scanner.
持久
always is false and the skill does not modify other skills or system settings. It runs on demand and only reads files matched by the glob; it does not persist or attempt to store credentials.
综合结论
This skill appears to do exactly what it says: statically scan GitHub Actions workflow YAMLs for risky secret usage patterns. It does not contact external services or request credentials. Before running, review WORKFLOW_GLOB to ensure you only scan intended paths (avoid globs that expose unrelated sensitive files). You can test using the bundled fixtures first. If you will allow autonomous agent invocation, remember the skill can read any file…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「GitHub Actions Secret Exposure Audit」。简介:Audit GitHub Actions workflow files for secret exposure risks like pull_request…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/daniellummis/github-actions-secret-exposure-audit/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: github-actions-secret-exposure-audit
description: Audit GitHub Actions workflow files for secret exposure risks like pull_request_target secret usage, secret echo commands, and unpinned action secret passing.
version: 1.0.0
metadata: {"openclaw":{"requires":{"bins":["bash","python3"]}}}
---
# GitHub Actions Secret Exposure Audit
Use this skill to catch risky secret handling patterns in workflow YAML before they leak credentials or allow unsafe token use.
## What this skill does
- Scans workflow YAML files (`.github/workflows/*.yml` by default)
- Flags `pull_request_target` workflows that also reference `${{ secrets.* }}`
- Flags shell output commands that print secret expressions (`echo`, `printf`, `tee`, `::set-output`)
- Flags secret values passed into unpinned third-party actions (`@main`, `@master`, `@v1`, etc.)
- Flags likely hardcoded credential values in workflow config
- Supports text/json output and CI fail gate
## Inputs
Optional:
- `WORKFLOW_GLOB` (default: `.github/workflows/*.y*ml`)
- `TOP_N` (default: `20`)
- `OUTPUT_FORMAT` (`text` or `json`, default: `text`)
- `WARN_SCORE` (default: `4`)
- `CRITICAL_SCORE` (default: `8`)
- `WORKFLOW_FILE_MATCH` / `WORKFLOW_FILE_EXCLUDE` (regex, optional)
- `ALLOW_REF_REGEX` (regex, optional) — allow listed action refs (for example `^v1.2.3$`)
- `FAIL_ON_CRITICAL` (`0` or `1`, default: `0`)
## Run
Text report:
```bash
WORKFLOW_GLOB='.github/workflows/*.yml'
WARN_SCORE=4
CRITICAL_SCORE=8
bash skills/github-actions-secret-exposure-audit/scripts/secret-exposure-audit.sh
```
JSON output + fail gate:
```bash
WORKFLOW_GLOB='.github/workflows/*.y*ml'
OUTPUT_FORMAT=json
FAIL_ON_CRITICAL=1
bash skills/github-actions-secret-exposure-audit/scripts/secret-exposure-audit.sh
```
Run against bundled fixtures:
```bash
WORKFLOW_GLOB='skills/github-actions-secret-exposure-audit/fixtures/*.y*ml'
bash skills/github-actions-secret-exposure-audit/scripts/secret-exposure-audit.sh
```
## Output contract
- Exit `0` in reporting mode (default)
- Exit `1` when `FAIL_ON_CRITICAL=1` and one or more workflows are critical
- Text mode prints summary + top risky workflows
- JSON mode prints summary + ranked workflows + critical workflows