gha-security-review
Conducts security reviews of GitHub Actions workflows to identify vulnerabilities and provide concrete exploitation scenarios.
Install this skill
Security score
The gha-security-review skill was audited on May 26, 2026 and we found 10 security issues across 2 threat categories, including 9 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 74 | | `${{ }}` in `run:` blocks | `references/expression-injection.md` | |
Template literal with variable interpolation in command context
| 95 | Are `${{ }}` expressions used inside `run:` blocks in externally-triggerable workflows? |
Template literal with variable interpolation in command context
| 96 | - Map every `${{ }}` expression in every `run:` step |
Template literal with variable interpolation in command context
| 138 | | `${{ github.event.pull_request.number }}` in `run:` | Numeric only — not injectable | |
Template literal with variable interpolation in command context
| 139 | | `${{ github.repository }}` / `github.repository_owner` | Repo owner controls this | |
Template literal with variable interpolation in command context
| 140 | | `${{ secrets.* }}` | Not an expression injection vector | |
Template literal with variable interpolation in command context
| 141 | | `${{ }}` in `if:` conditions | Evaluated by Actions runtime, not shell | |
Template literal with variable interpolation in command context
| 142 | | `${{ }}` in `with:` inputs | Passed as string parameters, not shell-evaluated | |
Template literal with variable interpolation in command context
| 147 | **Key distinction:** `${{ }}` is dangerous in `run:` blocks (shell expansion) but safe in `if:`, `with:`, and `env:` at the job/step level (Actions runtime evaluation). |
External URL reference
| 9 | by StepSecurity (2025): https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation |