← Back to Skills Marketplace
daniellummis

GitHub Actions Manual Trigger Audit

by Daniel Lummis · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
259
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install github-actions-manual-trigger-audit
Description
Audit manual GitHub Actions trigger dependence by workflow/event to flag automation gaps and intervention risk.
README (SKILL.md)

GitHub Actions Manual Trigger Audit

Use this skill to detect workflows that rely too heavily on manual triggers (workflow_dispatch / repository_dispatch) instead of automated CI events.

What this skill does

  • Reads GitHub Actions run JSON exports
  • Groups runs by repository + workflow (+ branch)
  • Measures manual-trigger share vs total run volume
  • Tracks recent manual-trigger streaks (latest N runs)
  • Scores severity (ok, warn, critical) for operational risk gating
  • Emits text or JSON output for automation

Inputs

Optional:

  • RUN_GLOB (default: artifacts/github-actions/*.json)
  • TOP_N (default: 20)
  • OUTPUT_FORMAT (text or json, default: text)
  • GROUP_BY (workflow or workflow-branch, default: workflow)
  • MANUAL_EVENTS (comma-separated, default: workflow_dispatch,repository_dispatch)
  • RECENT_WINDOW (latest runs inspected for streak, default: 5)
  • MIN_RUNS (minimum runs required, default: 5)
  • WARN_MANUAL_RATIO (0..1, default: 0.35)
  • CRITICAL_MANUAL_RATIO (0..1, default: 0.65)
  • WARN_MANUAL_RUNS (default: 5)
  • CRITICAL_MANUAL_RUNS (default: 12)
  • WARN_RECENT_MANUAL_STREAK (default: 3)
  • CRITICAL_RECENT_MANUAL_STREAK (default: 5)
  • WORKFLOW_MATCH / WORKFLOW_EXCLUDE (regex, optional)
  • BRANCH_MATCH / BRANCH_EXCLUDE (regex, optional)
  • EVENT_MATCH / EVENT_EXCLUDE (regex, optional)
  • REPO_MATCH / REPO_EXCLUDE (regex, optional)
  • FAIL_ON_CRITICAL (0 or 1, default: 0)

Collect run JSON

gh run view \x3Crun-id> --json databaseId,workflowName,event,headBranch,conclusion,createdAt,updatedAt,url,repository \
  > artifacts/github-actions/run-\x3Crun-id>.json

Run

Text report:

RUN_GLOB='artifacts/github-actions/*.json' \
bash skills/github-actions-manual-trigger-audit/scripts/manual-trigger-audit.sh

JSON output + fail gate:

RUN_GLOB='artifacts/github-actions/*.json' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-manual-trigger-audit/scripts/manual-trigger-audit.sh

Run against bundled fixtures:

RUN_GLOB='skills/github-actions-manual-trigger-audit/fixtures/*.json' \
bash skills/github-actions-manual-trigger-audit/scripts/manual-trigger-audit.sh

Output contract

  • Exit 0 in report mode (default)
  • Exit 1 when FAIL_ON_CRITICAL=1 and one or more groups are critical
  • Text mode prints summary + ranked workflow groups
  • JSON mode prints summary + ranked groups + critical groups
Usage Guidance
This skill appears to do what it says: analyze local GitHub Actions run JSONs for manual-trigger dependence. Before running it: (1) verify the RUN_GLOB value so the script only reads intended JSON files (avoid globs that could match sensitive system files); (2) if you plan to use the 'gh run view' example to collect data, be aware that requires the GitHub CLI and your authenticated GitHub session/token — that is separate from this skill and not requested by it; (3) review the included script (already present) and consider running it against the bundled fixtures first to see output; (4) run in a constrained environment or review outputs if you are concerned about printing repository URLs or other metadata — the tool may echo URLs contained in the JSON payloads but does not transmit data externally.
Capability Analysis
Type: OpenClaw Skill Name: github-actions-manual-trigger-audit Version: 1.0.0 The skill is a legitimate tool for auditing GitHub Actions workflow runs to identify over-reliance on manual triggers. The implementation consists of a shell wrapper and an inline Python script that processes local JSON files (exported via the GitHub CLI) to calculate metrics like manual-trigger ratios and streaks, with no evidence of data exfiltration, malicious execution, or prompt injection.
Capability Assessment
Purpose & Capability
The skill's name/description match what the code does: it reads GitHub Actions run JSON files, groups and scores workflows for manual-trigger dependence. Required binaries (bash, python3) are appropriate for the included shell+Python script. Minor note: the README examples show using the 'gh' CLI to collect run JSONs, but 'gh' is not listed in the declared required binaries; collecting data with 'gh' is optional for the tool to run (the script only reads local JSON files).
Instruction Scope
SKILL.md instructs the user to export run JSONs (example uses 'gh run view'), then run the script against a glob of JSON files. The runtime script only reads files matching RUN_GLOB and does not access other system configuration or environment variables. Two cautions: (1) the script will process any files matched by RUN_GLOB, so a mis-set glob could read unrelated local files; (2) the SKILL.md's 'gh' example implies network/GitHub access when collecting data, which is outside the script itself and requires separate user credentials.
Install Mechanism
No install spec; this is instruction-only plus an included script. Nothing is downloaded or installed by the skill package itself.
Credentials
The skill declares no required environment variables or credentials, and the script does not attempt to read secrets or other env vars. Note: collecting run JSONs with the GitHub CLI (as suggested in docs) would require GitHub authentication external to this skill; that is not requested by the skill itself.
Persistence & Privilege
always=false and there is no code that modifies agent configuration or other skills. The default autonomous invocation capability is unchanged (normal platform behavior) and the skill does not request persistent elevated privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install github-actions-manual-trigger-audit
  3. After installation, invoke the skill by name or use /github-actions-manual-trigger-audit
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — audit and report on manual vs automatic GitHub Actions workflow triggers. - Analyzes GitHub Actions run JSON to measure reliance on manual workflow triggers - Calculates manual trigger share, tracks recent manual streaks, and rates operational risk (ok/warn/critical) - Highly configurable input, output, and scoring parameters - Outputs both human-readable and JSON reports - Supports fail-on-critical gating for automation integration
Metadata
Slug github-actions-manual-trigger-audit
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is GitHub Actions Manual Trigger Audit?

Audit manual GitHub Actions trigger dependence by workflow/event to flag automation gaps and intervention risk. It is an AI Agent Skill for Claude Code / OpenClaw, with 259 downloads so far.

How do I install GitHub Actions Manual Trigger Audit?

Run "/install github-actions-manual-trigger-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is GitHub Actions Manual Trigger Audit free?

Yes, GitHub Actions Manual Trigger Audit is completely free (open-source). You can download, install and use it at no cost.

Which platforms does GitHub Actions Manual Trigger Audit support?

GitHub Actions Manual Trigger Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created GitHub Actions Manual Trigger Audit?

It is built and maintained by Daniel Lummis (@daniellummis); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments