ClawHub

GitHub Actions Manual Trigger Audit

v1.0.0

Audit manual GitHub Actions trigger dependence by workflow/event to flag automation gaps and intervention risk.

0· 258·0 current·0 all-time
byDaniel Lummis@daniellummis

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for daniellummis/github-actions-manual-trigger-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "GitHub Actions Manual Trigger Audit" (daniellummis/github-actions-manual-trigger-audit) from ClawHub.
Skill page: https://clawhub.ai/daniellummis/github-actions-manual-trigger-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bash, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install daniellummis/github-actions-manual-trigger-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-actions-manual-trigger-audit
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description match what the code does: it reads GitHub Actions run JSON files, groups and scores workflows for manual-trigger dependence. Required binaries (bash, python3) are appropriate for the included shell+Python script. Minor note: the README examples show using the 'gh' CLI to collect run JSONs, but 'gh' is not listed in the declared required binaries; collecting data with 'gh' is optional for the tool to run (the script only reads local JSON files).
Instruction Scope
SKILL.md instructs the user to export run JSONs (example uses 'gh run view'), then run the script against a glob of JSON files. The runtime script only reads files matching RUN_GLOB and does not access other system configuration or environment variables. Two cautions: (1) the script will process any files matched by RUN_GLOB, so a mis-set glob could read unrelated local files; (2) the SKILL.md's 'gh' example implies network/GitHub access when collecting data, which is outside the script itself and requires separate user credentials.
Install Mechanism
No install spec; this is instruction-only plus an included script. Nothing is downloaded or installed by the skill package itself.
Credentials
The skill declares no required environment variables or credentials, and the script does not attempt to read secrets or other env vars. Note: collecting run JSONs with the GitHub CLI (as suggested in docs) would require GitHub authentication external to this skill; that is not requested by the skill itself.
Persistence & Privilege
always=false and there is no code that modifies agent configuration or other skills. The default autonomous invocation capability is unchanged (normal platform behavior) and the skill does not request persistent elevated privileges.
Assessment
This skill appears to do what it says: analyze local GitHub Actions run JSONs for manual-trigger dependence. Before running it: (1) verify the RUN_GLOB value so the script only reads intended JSON files (avoid globs that could match sensitive system files); (2) if you plan to use the 'gh run view' example to collect data, be aware that requires the GitHub CLI and your authenticated GitHub session/token — that is separate from this skill and not requested by it; (3) review the included script (already present) and consider running it against the bundled fixtures first to see output; (4) run in a constrained environment or review outputs if you are concerned about printing repository URLs or other metadata — the tool may echo URLs contained in the JSON payloads but does not transmit data externally.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, python3
latestvk97cj34jzkvt13ss69bsqgyb6s82e28g
258downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Daniel Lummis@daniellummis
latest
Download

GitHub Actions Manual Trigger Audit

Use this skill to detect workflows that rely too heavily on manual triggers (workflow_dispatch / repository_dispatch) instead of automated CI events.

What this skill does

  • Reads GitHub Actions run JSON exports
  • Groups runs by repository + workflow (+ branch)
  • Measures manual-trigger share vs total run volume
  • Tracks recent manual-trigger streaks (latest N runs)
  • Scores severity (ok, warn, critical) for operational risk gating
  • Emits text or JSON output for automation

Inputs

Optional:

  • RUN_GLOB (default: artifacts/github-actions/*.json)
  • TOP_N (default: 20)
  • OUTPUT_FORMAT (text or json, default: text)
  • GROUP_BY (workflow or workflow-branch, default: workflow)
  • MANUAL_EVENTS (comma-separated, default: workflow_dispatch,repository_dispatch)
  • RECENT_WINDOW (latest runs inspected for streak, default: 5)
  • MIN_RUNS (minimum runs required, default: 5)
  • WARN_MANUAL_RATIO (0..1, default: 0.35)
  • CRITICAL_MANUAL_RATIO (0..1, default: 0.65)
  • WARN_MANUAL_RUNS (default: 5)
  • CRITICAL_MANUAL_RUNS (default: 12)
  • WARN_RECENT_MANUAL_STREAK (default: 3)
  • CRITICAL_RECENT_MANUAL_STREAK (default: 5)
  • WORKFLOW_MATCH / WORKFLOW_EXCLUDE (regex, optional)
  • BRANCH_MATCH / BRANCH_EXCLUDE (regex, optional)
  • EVENT_MATCH / EVENT_EXCLUDE (regex, optional)
  • REPO_MATCH / REPO_EXCLUDE (regex, optional)
  • FAIL_ON_CRITICAL (0 or 1, default: 0)

Collect run JSON

gh run view <run-id> --json databaseId,workflowName,event,headBranch,conclusion,createdAt,updatedAt,url,repository \
  > artifacts/github-actions/run-<run-id>.json

Run

Text report:

RUN_GLOB='artifacts/github-actions/*.json' \
bash skills/github-actions-manual-trigger-audit/scripts/manual-trigger-audit.sh

JSON output + fail gate:

RUN_GLOB='artifacts/github-actions/*.json' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-manual-trigger-audit/scripts/manual-trigger-audit.sh

Run against bundled fixtures:

RUN_GLOB='skills/github-actions-manual-trigger-audit/fixtures/*.json' \
bash skills/github-actions-manual-trigger-audit/scripts/manual-trigger-audit.sh

Output contract

  • Exit 0 in report mode (default)
  • Exit 1 when FAIL_ON_CRITICAL=1 and one or more groups are critical
  • Text mode prints summary + ranked workflow groups
  • JSON mode prints summary + ranked groups + critical groups

Comments

Loading comments...