← Back to Skills Marketplace
daniellummis

GitHub Actions OIDC Hardening Audit

by Daniel Lummis · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
274
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install github-actions-oidc-hardening-audit
Description
Audit GitHub Actions cloud auth workflows for OIDC hardening gaps like missing id-token write permissions, static cloud secrets, and floating auth action refs.
README (SKILL.md)

GitHub Actions OIDC Hardening Audit

Use this skill to catch risky cloud-auth patterns in workflow YAML before they become identity or secret exposure incidents.

What this skill does

  • Scans workflow YAML files (.github/workflows/*.yml by default)
  • Detects AWS/GCP/Azure auth action usage:
    • aws-actions/configure-aws-credentials
    • google-github-actions/auth
    • azure/login
  • Flags workflows that use cloud auth actions but miss permissions.id-token: write
  • Flags AWS auth usage without role-to-assume
  • Flags likely static cloud credential usage (aws-access-key-id, aws-secret-access-key, cloud credential secrets)
  • Flags floating auth action refs (@main, @master, @v1) unless allow-listed
  • Supports text/json output and CI fail gate

Inputs

Optional:

  • WORKFLOW_GLOB (default: .github/workflows/*.y*ml)
  • TOP_N (default: 20)
  • OUTPUT_FORMAT (text or json, default: text)
  • WARN_SCORE (default: 3)
  • CRITICAL_SCORE (default: 7)
  • WORKFLOW_FILE_MATCH / WORKFLOW_FILE_EXCLUDE (regex, optional)
  • ALLOW_REF_REGEX (regex, optional) — allow-listed action refs
  • FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

WORKFLOW_GLOB='.github/workflows/*.yml' \
WARN_SCORE=3 \
CRITICAL_SCORE=7 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

JSON output + fail gate:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

Run against bundled fixtures:

WORKFLOW_GLOB='skills/github-actions-oidc-hardening-audit/fixtures/*.y*ml' \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

Output contract

  • Exit 0 in reporting mode (default)
  • Exit 1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical
  • Text mode prints summary + top risky workflows
  • JSON mode prints summary + flagged workflows + critical workflows
Usage Guidance
This skill appears coherent for a local static audit of GitHub Actions workflows. Before installing/running: (1) review the included script (scripts/oidc-hardening-audit.sh) if you want to confirm behavior; (2) be deliberate about WORKFLOW_GLOB / WORKFLOW_FILE_MATCH values — the script will read any files those patterns match; (3) running with FAIL_ON_CRITICAL=1 will exit non-zero (useful in CI but will fail pipelines if findings meet the threshold); (4) the tool detects references to secrets but does not read secret values or contact external endpoints. If you plan to run it in a shared environment, consider running it on a checked-out copy of the repo or restricting the glob to avoid scanning unrelated sensitive paths.
Capability Analysis
Type: OpenClaw Skill Name: github-actions-oidc-hardening-audit Version: 1.0.0 The skill is a security auditing tool designed to identify OIDC hardening gaps in GitHub Actions workflows. It uses a Python script within a bash wrapper (scripts/oidc-hardening-audit.sh) to scan YAML files for risky patterns such as static credentials, missing OIDC permissions, and unpinned action references. The logic is self-contained, uses only standard libraries, and lacks any indicators of data exfiltration, malicious execution, or prompt injection.
Capability Assessment
Purpose & Capability
The name/description match the included script and fixtures. Required binaries (bash, python3) are appropriate for running the provided shell+Python scanner. No unrelated credentials, config paths, or network installs are requested.
Instruction Scope
SKILL.md and the script limit actions to scanning workflow YAML files and printing a report. The tool reads files matched by WORKFLOW_GLOB (default .github/workflows/*.y*ml) and supports arbitrary globs/regex, so a user-provided pattern could cause it to read other files on disk — this is expected for a scanner but worth noting.
Install Mechanism
Instruction-only skill with bundled script; there is no network download or package install. Nothing is written to disk beyond running the existing script, so install risk is low.
Credentials
No environment variables or secrets are required. The script inspects workflow files for secret references but does not access or require those secrets, nor does it send data externally.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide privileges or modify other skills. It runs locally and does not automatically persist configuration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install github-actions-oidc-hardening-audit
  3. After installation, invoke the skill by name or use /github-actions-oidc-hardening-audit
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — GitHub Actions OIDC Hardening Audit skill: - Audits GitHub Actions workflows for OIDC authentication misconfigurations and risky patterns. - Flags missing `id-token: write` permissions, static cloud credential usage, weak action refs, and improper AWS role configuration. - Supports both text and JSON output, top-N reporting, and CI fail-gate. - Highly configurable via input environment variables and regex allow-lists. - Designed for security teams and DevOps to preemptively catch identity and secret exposure risks.
Metadata
Slug github-actions-oidc-hardening-audit
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is GitHub Actions OIDC Hardening Audit?

Audit GitHub Actions cloud auth workflows for OIDC hardening gaps like missing id-token write permissions, static cloud secrets, and floating auth action refs. It is an AI Agent Skill for Claude Code / OpenClaw, with 274 downloads so far.

How do I install GitHub Actions OIDC Hardening Audit?

Run "/install github-actions-oidc-hardening-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is GitHub Actions OIDC Hardening Audit free?

Yes, GitHub Actions OIDC Hardening Audit is completely free (open-source). You can download, install and use it at no cost.

Which platforms does GitHub Actions OIDC Hardening Audit support?

GitHub Actions OIDC Hardening Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created GitHub Actions OIDC Hardening Audit?

It is built and maintained by Daniel Lummis (@daniellummis); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments