Skip to main content

workflow-security-audit

Conducts security audits on GitHub workflows to identify vulnerabilities and apply auto-fixes, enhancing repository security.

Install this skill

or
0/100

Security score

The workflow-security-audit skill was audited on May 30, 2026 and we found 14 security issues across 1 threat category, including 9 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 21

Template literal with variable interpolation in command context

SourceSKILL.md
21**A. Script injection** — `${{ ... }}` expressions used directly inside `run:` blocks that may contain user-controlled content:
high line 22

Template literal with variable interpolation in command context

SourceSKILL.md
22- `${{ inputs.* }}` inside `run:` without an env-var intermediary
high line 23

Template literal with variable interpolation in command context

SourceSKILL.md
23- `${{ github.event.* }}` inside `run:` (especially `client_payload.*`, `issue.title`, `issue.body`, `head_commit.message`, `pull_request.title`, `pull_request.body`)
high line 24

Template literal with variable interpolation in command context

SourceSKILL.md
24- `${{ steps.*.outputs.* }}` inside `run:` where the output originated from user-controlled data
high line 26

Template literal with variable interpolation in command context

SourceSKILL.md
26The safe pattern is always: declare `env: MY_VAR: ${{ ... }}` on the step, then use `"$MY_VAR"` in the shell. Direct interpolation lets shell metacharacters (backticks, `$()`, `"`) in the value execut
high line 32

Template literal with variable interpolation in command context

SourceSKILL.md
32**D. Secret exposure** — `echo "${{ secrets.* }}"` or similar patterns that print secrets to logs or include them in commit messages.
high line 34

Template literal with variable interpolation in command context

SourceSKILL.md
34**E. Fleet-specific risks** — `spawn-instance` or `fleet-control` jobs that pass `${{ inputs.* }}` directly into shell commands responsible for dispatching child runs.
medium line 50

Template literal with variable interpolation in command context

SourceSKILL.md
50```yaml
high line 68

Template literal with variable interpolation in command context

SourceSKILL.md
68Write findings to `articles/workflow-security-audit-${today}.md`:
medium line 70

Template literal with variable interpolation in command context

SourceSKILL.md
70```markdown
medium line 82

Template literal with variable interpolation in command context

SourceSKILL.md
82**Pattern:** `${{ inputs.message }}`
medium line 100

Template literal with variable interpolation in command context

SourceSKILL.md
100```bash
high line 119

Template literal with variable interpolation in command context

SourceSKILL.md
119Append to `memory/logs/${today}.md`:
medium line 120

Template literal with variable interpolation in command context

SourceSKILL.md
120```
Scanned on May 30, 2026
View Security Dashboard
Installation guide →
GitHub Stars 14
Rate this skill
Categorydevelopment
UpdatedJune 4, 2026
github-copilotdevopsdevops-srebackend-developersecurity-engineergithubdevelopment
aaronjmars/miroshark-aeon