ClawHub

Github Actions Linter

v1.0.0

Lint and validate GitHub Actions workflow YAML files for common mistakes, security issues, deprecated actions, and best practices. Use when asked to lint, va...

0· 47·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (GitHub Actions linter) match the delivered artifacts: runtime instructions call the bundled Python script and the repository contains a linter implementation. There are no unrelated required binaries or credentials.
Instruction Scope
SKILL.md instructs the agent to run the included script (python3 scripts/gha_linter.py) against one or more files or directories and provides modes (lint, security, deprecated, validate). This necessarily reads workflow files (e.g., .github/workflows/*.yml) and can be pointed at arbitrary paths — expected for a linter, but users should be aware it will parse any files/dirs you ask it to analyze.
Install Mechanism
No install spec or external downloads. The linter is bundled as a local Python script and claims to rely only on stdlib; nothing is pulled from external URLs or package registries.
Credentials
The skill declares no required environment variables or credentials. SKILL.md and the visible code do not reference secret or external credentials. Requesting no tokens is proportional to a static linter.
Persistence & Privilege
always is false and the skill does not request elevated or persistent presence. There are no instructions to modify other skills or global agent configuration.
Assessment
This skill appears to be a straightforward, bundled Python linter for GitHub Actions workflows. Before installing or running it: (1) inspect the full script (scripts/gha_linter.py) yourself — running arbitrary code has risk even if it looks benign; (2) run it on a local or sandboxed copy of your repository if you have sensitive workflows or secrets (the tool will read any files you point it at); (3) expect some false positives/negatives because it uses a custom minimal YAML parser; (4) no credentials are required, so avoid granting tokens or secrets to the skill. If you want extra assurance, run the script in an isolated environment (container) and review its full source for any network or shell operations before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk970wmztchbb0cy432ec6tgc9h84ryd1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments