← Back to Skills Marketplace
daniellummis

GitHub Actions Cache Hardening Audit

by Daniel Lummis · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
271
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install github-actions-cache-hardening-audit
Description
Audit GitHub Actions workflow cache usage for poisoning, keying, and secret-path risks.
README (SKILL.md)

GitHub Actions Cache Hardening Audit

Use this skill to statically audit .github/workflows/*.yml for risky cache patterns that can cause cache poisoning, stale cache churn, or secret leakage.

What this skill checks

  • actions/cache usage on untrusted triggers (pull_request_target)
  • Cache keys that do not use hashFiles(...)
  • Overly broad restore-keys prefixes
  • Sensitive paths accidentally included in cache paths (.aws, .ssh, .npmrc, .git)
  • Floating cache action refs (@main, @master)

Inputs

Optional:

  • WORKFLOW_GLOB (default: .github/workflows/*.y*ml)
  • TOP_N (default: 20)
  • OUTPUT_FORMAT (text or json, default: text)
  • WARN_SCORE (default: 3)
  • CRITICAL_SCORE (default: 6)
  • WORKFLOW_FILE_MATCH (regex, optional)
  • WORKFLOW_FILE_EXCLUDE (regex, optional)
  • FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

WORKFLOW_GLOB='.github/workflows/*.yml' \
bash skills/github-actions-cache-hardening-audit/scripts/cache-hardening-audit.sh

JSON output + fail gate:

WORKFLOW_GLOB='.github/workflows/*.yml' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-cache-hardening-audit/scripts/cache-hardening-audit.sh

Run against bundled fixtures:

WORKFLOW_GLOB='skills/github-actions-cache-hardening-audit/fixtures/*.yml' \
bash skills/github-actions-cache-hardening-audit/scripts/cache-hardening-audit.sh

Output contract

  • Exit 0 by default (report mode)
  • Exit 1 when FAIL_ON_CRITICAL=1 and at least one critical workflow is detected
  • Text mode prints a summary and top flagged workflows
  • JSON mode emits summary, flagged_workflows, and critical_workflows
Usage Guidance
This skill appears to be what it claims: a static linter for GitHub Actions cache usage. Before running it, review the script (already bundled) and run it against a restricted glob (default .github/workflows/*.y*ml) or against included fixtures to confirm output. It reads files matched by the glob—so avoid pointing it at broader globs if you don't want unrelated files scanned. There's no network exfiltration or credential access in the code, and it does not require any installation. If you plan to run it in a CI runner with broad filesystem access, be aware it will read files available to that runner; use WORKFLOW_GLOB to limit scope. If you need higher assurance, run the script locally on a copy of the repository or review the bundled code (scripts/cache-hardening-audit.sh) line-by-line; otherwise this skill is coherent and proportionate to its stated purpose.
Capability Analysis
Type: OpenClaw Skill Name: github-actions-cache-hardening-audit Version: 1.0.0 The skill is a static analysis tool designed to audit GitHub Actions workflows for cache-related security risks, such as cache poisoning on untrusted triggers or the accidental caching of sensitive directories like .ssh or .aws. The logic is implemented in a transparent Python script (embedded in scripts/cache-hardening-audit.sh) that scans local YAML files for risky patterns. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description align with the included Bash+Python script which scans .github/workflows YAML files for cache-related anti-patterns. Required binaries (bash, python3) are exactly what the script needs. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md instructs running the bundled script against workflow files (default .github/workflows/*.y*ml). The script only reads files matched by the provided glob, parses them for specific patterns, and emits text or JSON. It does not call external network endpoints, does not access environment variables beyond those declared, and does not exfiltrate data. Note: because it reads repository files, running it in a context with broader filesystem access could expose any files matched by the glob—this is expected for a static repo scanner.
Install Mechanism
There is no install spec; this is instruction-only with a bundled script. That minimizes risk since nothing is downloaded or written to disk beyond the existing skill files.
Credentials
The skill requires no environment variables or credentials. The optional runtime inputs (WORKFLOW_GLOB, OUTPUT_FORMAT, etc.) are reasonable for a static analysis tool and do not request secrets or unrelated access.
Persistence & Privilege
always:false and no behavior that modifies agent/system configuration. The skill does not attempt to persist credentials or change other skills. Autonomous invocation is allowed by default but is not combined with other concerning behaviors.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install github-actions-cache-hardening-audit
  3. After installation, invoke the skill by name or use /github-actions-cache-hardening-audit
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of github-actions-cache-hardening-audit. - Audits GitHub Actions workflow cache usage for risks like cache poisoning, improper keying, and secret-path exposure. - Checks for insecure usage patterns, including untrusted triggers, weak cache keys, dangerous restore-keys, and sensitive paths. - Supports customizable input options for file selection, output format (text or JSON), and risk thresholds. - Can be configured to fail CI on detection of critical cache risks. - Provides clear summary reports for flagged and critical workflows.
Metadata
Slug github-actions-cache-hardening-audit
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is GitHub Actions Cache Hardening Audit?

Audit GitHub Actions workflow cache usage for poisoning, keying, and secret-path risks. It is an AI Agent Skill for Claude Code / OpenClaw, with 271 downloads so far.

How do I install GitHub Actions Cache Hardening Audit?

Run "/install github-actions-cache-hardening-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is GitHub Actions Cache Hardening Audit free?

Yes, GitHub Actions Cache Hardening Audit is completely free (open-source). You can download, install and use it at no cost.

Which platforms does GitHub Actions Cache Hardening Audit support?

GitHub Actions Cache Hardening Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created GitHub Actions Cache Hardening Audit?

It is built and maintained by Daniel Lummis (@daniellummis); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments