← Back to Skills Marketplace
charlie-morrison

Github Actions Linter

by charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
86
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install github-actions-linter
Description
Lint and validate GitHub Actions workflow YAML files for common mistakes, security issues, deprecated actions, and best practices. Use when asked to lint, va...
README (SKILL.md)

GitHub Actions Linter

Lint GitHub Actions workflow files for syntax errors, security issues, deprecated actions, and best practices violations.

Commands

All commands use the bundled Python script at scripts/gha_linter.py.

1. Lint a workflow file

python3 scripts/gha_linter.py lint \x3Cfile-or-directory> [--strict] [--format text|json|markdown]

Runs all lint rules against one or more workflow files. If given a directory, scans for *.yml and *.yaml files recursively.

Flags:

  • --strict — exit code 1 on any warning (not just errors)
  • --format — output format: text (default), json, markdown

2. Audit for security issues

python3 scripts/gha_linter.py security \x3Cfile> [--format text|json|markdown]

Focused security audit: shell injection via ${{ }} in run:, hardcoded secrets, overly permissive permissions, untrusted event contexts in expressions.

3. Check for deprecated actions

python3 scripts/gha_linter.py deprecated \x3Cfile> [--format text|json|markdown]

Detect outdated action versions (e.g., actions/checkout@v2, actions/setup-node@v3 when v4 exists) and suggest upgrades.

4. Validate workflow structure

python3 scripts/gha_linter.py validate \x3Cfile> [--format text|json|markdown]

Structural validation only: required keys (on, jobs), valid trigger events, valid runs-on labels, job dependency graph (circular deps, missing refs).

Lint Rules (28 total)

Syntax & Structure (8 rules)

  1. missing-on — Workflow missing on trigger
  2. missing-jobs — Workflow missing jobs section
  3. empty-jobs — Jobs section is empty
  4. missing-runs-on — Job missing runs-on
  5. missing-steps — Job missing steps
  6. empty-steps — Steps list is empty
  7. invalid-trigger — Unknown trigger event name
  8. circular-deps — Circular job dependency via needs

Security (8 rules)

  1. shell-injection${{ }} expression in run: (potential injection)
  2. hardcoded-secret — Hardcoded password/token/key patterns in workflow
  3. permissive-permissionspermissions: write-all or no permissions block
  4. untrusted-context — Dangerous contexts in expressions (github.event.issue.title, github.event.pull_request.body, etc.)
  5. pull-request-targetpull_request_target with checkout of PR head (known attack vector)
  6. third-party-action — Non-verified third party action without pinned SHA
  7. env-in-run — Secret used directly in run: instead of via env:
  8. excessive-permissions — Job requests more permissions than needed

Deprecated & Outdated (4 rules)

  1. deprecated-action — Action version is outdated (v1/v2 when v4 exists)
  2. deprecated-runner — Using deprecated runner labels (ubuntu-18.04, macos-10.15)
  3. set-output-deprecated — Using deprecated ::set-output:: command
  4. save-state-deprecated — Using deprecated ::save-state:: command

Best Practices (8 rules)

  1. missing-timeout — Job without timeout-minutes (default 6h is dangerous)
  2. missing-name — Step without name (harder to debug)
  3. latest-tag — Action pinned to @main or @master (unstable)
  4. no-concurrency — Workflow without concurrency (can waste resources)
  5. hardcoded-runner — Hardcoded runner version instead of -latest
  6. long-run-commandrun: block exceeds 50 lines (should be a script)
  7. duplicate-step-id — Duplicate id in steps within same job
  8. missing-if-continuecontinue-on-error: true without explanation comment

Output Formats

Text (default)

workflow.yml:12:3 error [shell-injection] Expression ${{ github.event.issue.title }} in run: is vulnerable to injection
workflow.yml:25:5 warning [missing-timeout] Job 'build' has no timeout-minutes (default: 360 min)
workflow.yml:31:7 warning [missing-name] Step at index 2 has no name

3 issues (1 error, 2 warnings)

JSON

{
  "file": "workflow.yml",
  "issues": [...],
  "summary": {"errors": 1, "warnings": 2, "info": 0}
}

Markdown

Summary table with severity, rule, location, and message.

CI Integration

# .github/workflows/lint-actions.yml
name: Lint Workflows
on: [push, pull_request]
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: python3 scripts/gha_linter.py lint .github/workflows/ --strict

Exit codes: 0 = clean, 1 = errors found (or warnings in --strict mode).

Usage Guidance
This skill appears to be a straightforward, bundled Python linter for GitHub Actions workflows. Before installing or running it: (1) inspect the full script (scripts/gha_linter.py) yourself — running arbitrary code has risk even if it looks benign; (2) run it on a local or sandboxed copy of your repository if you have sensitive workflows or secrets (the tool will read any files you point it at); (3) expect some false positives/negatives because it uses a custom minimal YAML parser; (4) no credentials are required, so avoid granting tokens or secrets to the skill. If you want extra assurance, run the script in an isolated environment (container) and review its full source for any network or shell operations before use.
Capability Analysis
Type: OpenClaw Skill Name: github-actions-linter Version: 1.0.0 The skill bundle provides a legitimate utility for linting and auditing GitHub Actions workflow files. The core logic in `scripts/gha_linter.py` implements standard security checks (such as shell injection detection, hardcoded secret scanning, and SHA pinning) and best-practice validations using only the Python standard library. There is no evidence of data exfiltration, unauthorized network access, or malicious prompt injection within the instructions or code.
Capability Assessment
Purpose & Capability
Name/description (GitHub Actions linter) match the delivered artifacts: runtime instructions call the bundled Python script and the repository contains a linter implementation. There are no unrelated required binaries or credentials.
Instruction Scope
SKILL.md instructs the agent to run the included script (python3 scripts/gha_linter.py) against one or more files or directories and provides modes (lint, security, deprecated, validate). This necessarily reads workflow files (e.g., .github/workflows/*.yml) and can be pointed at arbitrary paths — expected for a linter, but users should be aware it will parse any files/dirs you ask it to analyze.
Install Mechanism
No install spec or external downloads. The linter is bundled as a local Python script and claims to rely only on stdlib; nothing is pulled from external URLs or package registries.
Credentials
The skill declares no required environment variables or credentials. SKILL.md and the visible code do not reference secret or external credentials. Requesting no tokens is proportional to a static linter.
Persistence & Privilege
always is false and the skill does not request elevated or persistent presence. There are no instructions to modify other skills or global agent configuration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install github-actions-linter
  3. After installation, invoke the skill by name or use /github-actions-linter
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Slug github-actions-linter
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Github Actions Linter?

Lint and validate GitHub Actions workflow YAML files for common mistakes, security issues, deprecated actions, and best practices. Use when asked to lint, va... It is an AI Agent Skill for Claude Code / OpenClaw, with 86 downloads so far.

How do I install Github Actions Linter?

Run "/install github-actions-linter" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Github Actions Linter free?

Yes, Github Actions Linter is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Github Actions Linter support?

Github Actions Linter is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Github Actions Linter?

It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments