Skip to main content

agentic-actions-auditor

Audits GitHub Actions workflows for security vulnerabilities in AI integrations, ensuring CI/CD pipeline safety against prompt injection risks.

Install this skill

or
39/100

Security score

The agentic-actions-auditor skill was audited on Mar 21, 2026 and we found 5 security issues across 2 threat categories, including 4 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 40

Template literal with variable interpolation in command context

SourceSKILL.md
40Wrong because tool restrictions can still be weaponized. Even restricted tools like `echo` can be abused for data exfiltration via subshell expansion (`echo $(env)`). A tool allowlist reduces attack s
high line 216

Template literal with variable interpolation in command context

SourceSKILL.md
216- For each env var, note whether its value contains `${{ }}` expressions referencing event data (e.g., `${{ github.event.issue.body }}`, `${{ github.event.pull_request.title }}`)
high line 238

Template literal with variable interpolation in command context

SourceSKILL.md
238| A | Env Var Intermediary | `env:` block with `${{ github.event.* }}` value + prompt reads that env var name | [{baseDir}/references/vector-a-env-var-intermediary.md]({baseDir}/references/vector-a-en
high line 239

Template literal with variable interpolation in command context

SourceSKILL.md
239| B | Direct Expression Injection | `${{ github.event.* }}` inside prompt or system-prompt field | [{baseDir}/references/vector-b-direct-expression-injection.md]({baseDir}/references/vector-b-direct-e
low line 68

External URL reference

SourceSKILL.md
68Strip trailing slashes, `.git` suffix, and `www.` prefix. Handle both `http://` and `https://`.
Scanned on Mar 21, 2026
View Security Dashboard

Install this skill with one command

/learn @trailofbits/agentic-actions-auditor
GitHub Stars 3.7K
Rate this skill
Categorydevelopment
UpdatedMarch 29, 2026
openclawbackenddevopsdevops-srebackend-developersecurity-engineerdata-engineerqa-engineergithubgitlabdevelopment
trailofbits/skills