Skip to main content

agentic-actions-auditor

Audits GitHub Actions workflows for security vulnerabilities in AI integrations, ensuring CI/CD pipeline safety against prompt injection risks.

Install this skill

or
39/100

Security score

The agentic-actions-auditor skill was audited on May 12, 2026 and we found 5 security issues across 2 threat categories, including 4 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 36

Template literal with variable interpolation in command context

SourceSKILL.md
36Wrong because tool restrictions can still be weaponized. Even restricted tools like `echo` can be abused for data exfiltration via subshell expansion (`echo $(env)`). A tool allowlist reduces attack s
high line 212

Template literal with variable interpolation in command context

SourceSKILL.md
212- For each env var, note whether its value contains `${{ }}` expressions referencing event data (e.g., `${{ github.event.issue.body }}`, `${{ github.event.pull_request.title }}`)
high line 234

Template literal with variable interpolation in command context

SourceSKILL.md
234| A | Env Var Intermediary | `env:` block with `${{ github.event.* }}` value + prompt reads that env var name | [{baseDir}/references/vector-a-env-var-intermediary.md]({baseDir}/references/vector-a-en
high line 235

Template literal with variable interpolation in command context

SourceSKILL.md
235| B | Direct Expression Injection | `${{ github.event.* }}` inside prompt or system-prompt field | [{baseDir}/references/vector-b-direct-expression-injection.md]({baseDir}/references/vector-b-direct-e
low line 64

External URL reference

SourceSKILL.md
64Strip trailing slashes, `.git` suffix, and `www.` prefix. Handle both `http://` and `https://`.
Scanned on May 12, 2026
View Security Dashboard
Installation guide →
GitHub Stars 3.7K
Rate this skill
Categorydevelopment
UpdatedMay 13, 2026
claudeclaude-codecodexfrontenddocxgitapitestingdevopsbackenddevops-srebackend-developersecurity-engineerdata-engineerqa-engineergithubgitlabdevelopment
trailofbits/skills