技能详情(站内镜像,无评论)
作者:Daniel Lummis @daniellummis
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.1.0
统计:⭐ 0 · 185 · 1 current installs · 1 all-time installs
⭐ 0
安装量(当前) 1
🛡 VirusTotal :良性 · OpenClaw :良性
Package:daniellummis/github-actions-workflow-hardening-audit
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill is internally consistent with its stated purpose: it is a local static auditor that needs only bash and python3 and does not request credentials or perform network I/O.
目的
Name/description match the actual behavior. Required binaries (bash, python3) are reasonable for a script that shells out to run an embedded Python program. There are no unrelated environment variables, credentials, or config paths requested.
说明范围
Runtime instructions and the included script are limited to reading workflow YAML files (glob, include/exclude filters, event filters) and producing a text/JSON report. It does not call external network endpoints or request secrets. Caution: the script parses YAML via regex/line scanning (not a YAML parser), so it can produce false positives/negatives and may mis-handle complex workflow files. The script prints file paths, scores, events, and …
安装机制
Instruction-only skill with no install spec. The only code is the provided script; nothing is downloaded or written to disk beyond running the included script.
证书
No credentials or privileged environment variables are required. Optional environment variables control filters and thresholds; these are proportional to the audit task. The script may output workflow file paths and referenced action refs, which you should treat as potentially sensitive information if your repo contains secret-related configuration.
持久
Skill does not request persistent presence (always=false) and does not modify agent or system configuration. It runs as an on-demand script and does not attempt to store tokens or alter other skills.
综合结论
This skill appears to do exactly what it says: statically scan .github/workflows files and report hardening gaps. Before running: (1) review the included script yourself (it's plain Python/Bash) to ensure its behavior is acceptable; (2) run it on a copy or limited glob if you are concerned about scanning many files; (3) be aware its YAML parsing is line-oriented/regex-based (not a full YAML parser) so verify any critical findings manually; (4)…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「GitHub Actions Workflow Hardening Audit」。简介:Audit GitHub Actions workflow files for hardening gaps (missing timeouts/permis…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/daniellummis/github-actions-workflow-hardening-audit/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: github-actions-workflow-hardening-audit
description: Audit GitHub Actions workflow files for hardening gaps (missing timeouts/permissions/concurrency and floating action refs).
version: 1.1.0
metadata: {"openclaw":{"requires":{"bins":["bash","python3"]}}}
---
# GitHub Actions Workflow Hardening Audit
Use this skill to statically audit `.github/workflows/*.yml` files before risky defaults leak into production CI.
## What this skill does
- Scans workflow YAML files and scores hardening risk per file
- Flags jobs missing `timeout-minutes`
- Flags missing `permissions` declarations (workflow-level or job-level)
- Optionally flags missing `concurrency` controls
- Flags floating `uses:` refs (`@main`, `@master`, `@latest`, major-only tags like `@v4`)
- Supports file/event regex filtering for targeted triage in large monorepos
- Raises severity (`ok` / `warn` / `critical`) and can fail CI gates
## Inputs
Optional:
- `WORKFLOW_GLOB` (default: `.github/workflows/*.y*ml`)
- `TOP_N` (default: `20`)
- `OUTPUT_FORMAT` (`text` or `json`, default: `text`)
- `WARN_SCORE` (default: `3`)
- `CRITICAL_SCORE` (default: `7`)
- `REQUIRE_TIMEOUT` (`0`/`1`, default: `1`)
- `REQUIRE_PERMISSIONS` (`0`/`1`, default: `1`)
- `REQUIRE_CONCURRENCY` (`0`/`1`, default: `0`)
- `FLAG_FLOATING_REFS` (`0`/`1`, default: `1`)
- `ALLOW_REF_REGEX` (regex whitelist for approved refs, optional)
- `WORKFLOW_FILE_MATCH` (regex include filter on file path, optional)
- `WORKFLOW_FILE_EXCLUDE` (regex exclude filter on file path, optional)
- `EVENT_MATCH` (regex include filter on parsed `on:` triggers, optional)
- `EVENT_EXCLUDE` (regex exclude filter on parsed `on:` triggers, optional)
- `FAIL_ON_CRITICAL` (`0` or `1`, default: `0`)
## Run
Text report:
```bash
WORKFLOW_GLOB='.github/workflows/*.y*ml'
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
```
JSON output + fail gate:
```bash
WORKFLOW_GLOB='.github/workflows/*.y*ml'
OUTPUT_FORMAT=json
REQUIRE_CONCURRENCY=1
FAIL_ON_CRITICAL=1
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
```
Filter to only PR-target workflows:
```bash
WORKFLOW_GLOB='.github/workflows/*.y*ml'
EVENT_MATCH='pull_request_target'
FAIL_ON_CRITICAL=1
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
```
Run against bundled fixtures:
```bash
WORKFLOW_GLOB='skills/github-actions-workflow-hardening-audit/fixtures/*.y*ml'
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
```
## Output contract
- Exit `0` in report mode (default)
- Exit `1` when `FAIL_ON_CRITICAL=1` and one or more workflows are critical
- Text mode prints summary + ranked workflow risks
- JSON mode prints summary + ranked workflows + critical workflows