gha-security-review
Identifies exploitable vulnerabilities in GitHub Actions workflows, ensuring findings include concrete exploitation scenarios.
Install this skill
Security score
The gha-security-review skill was audited on May 19, 2026 and we found 10 security issues across 2 threat categories, including 9 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 81 | | `${{ }}` in `run:` blocks | `references/expression-injection.md` | |
Template literal with variable interpolation in command context
| 102 | Are `${{ }}` expressions used inside `run:` blocks in externally-triggerable workflows? |
Template literal with variable interpolation in command context
| 103 | - Map every `${{ }}` expression in every `run:` step |
Template literal with variable interpolation in command context
| 145 | | `${{ github.event.pull_request.number }}` in `run:` | Numeric only — not injectable | |
Template literal with variable interpolation in command context
| 146 | | `${{ github.repository }}` / `github.repository_owner` | Repo owner controls this | |
Template literal with variable interpolation in command context
| 147 | | `${{ secrets.* }}` | Not an expression injection vector | |
Template literal with variable interpolation in command context
| 148 | | `${{ }}` in `if:` conditions | Evaluated by Actions runtime, not shell | |
Template literal with variable interpolation in command context
| 149 | | `${{ }}` in `with:` inputs | Passed as string parameters, not shell-evaluated | |
Template literal with variable interpolation in command context
| 154 | **Key distinction:** `${{ }}` is dangerous in `run:` blocks (shell expansion) but safe in `if:`, `with:`, and `env:` at the job/step level (Actions runtime evaluation). |
External URL reference
| 11 | by StepSecurity (2025): https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation |