ClawHub

GitHub Actions OIDC Hardening Audit

v1.0.0

Audit GitHub Actions cloud auth workflows for OIDC hardening gaps like missing id-token write permissions, static cloud secrets, and floating auth action refs.

0· 271·0 current·0 all-time
byDaniel Lummis@daniellummis

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for daniellummis/github-actions-oidc-hardening-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "GitHub Actions OIDC Hardening Audit" (daniellummis/github-actions-oidc-hardening-audit) from ClawHub.
Skill page: https://clawhub.ai/daniellummis/github-actions-oidc-hardening-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bash, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-actions-oidc-hardening-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-actions-oidc-hardening-audit
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included script and fixtures. Required binaries (bash, python3) are appropriate for running the provided shell+Python scanner. No unrelated credentials, config paths, or network installs are requested.
Instruction Scope
SKILL.md and the script limit actions to scanning workflow YAML files and printing a report. The tool reads files matched by WORKFLOW_GLOB (default .github/workflows/*.y*ml) and supports arbitrary globs/regex, so a user-provided pattern could cause it to read other files on disk — this is expected for a scanner but worth noting.
Install Mechanism
Instruction-only skill with bundled script; there is no network download or package install. Nothing is written to disk beyond running the existing script, so install risk is low.
Credentials
No environment variables or secrets are required. The script inspects workflow files for secret references but does not access or require those secrets, nor does it send data externally.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide privileges or modify other skills. It runs locally and does not automatically persist configuration.
Assessment
This skill appears coherent for a local static audit of GitHub Actions workflows. Before installing/running: (1) review the included script (scripts/oidc-hardening-audit.sh) if you want to confirm behavior; (2) be deliberate about WORKFLOW_GLOB / WORKFLOW_FILE_MATCH values — the script will read any files those patterns match; (3) running with FAIL_ON_CRITICAL=1 will exit non-zero (useful in CI but will fail pipelines if findings meet the threshold); (4) the tool detects references to secrets but does not read secret values or contact external endpoints. If you plan to run it in a shared environment, consider running it on a checked-out copy of the repo or restricting the glob to avoid scanning unrelated sensitive paths.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, python3
latestvk97crjpex1pqeb1p8kytz8bsbx82hpre
271downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Daniel Lummis@daniellummis
latest
Download

GitHub Actions OIDC Hardening Audit

Use this skill to catch risky cloud-auth patterns in workflow YAML before they become identity or secret exposure incidents.

What this skill does

  • Scans workflow YAML files (.github/workflows/*.yml by default)
  • Detects AWS/GCP/Azure auth action usage:
    • aws-actions/configure-aws-credentials
    • google-github-actions/auth
    • azure/login
  • Flags workflows that use cloud auth actions but miss permissions.id-token: write
  • Flags AWS auth usage without role-to-assume
  • Flags likely static cloud credential usage (aws-access-key-id, aws-secret-access-key, cloud credential secrets)
  • Flags floating auth action refs (@main, @master, @v1) unless allow-listed
  • Supports text/json output and CI fail gate

Inputs

Optional:

  • WORKFLOW_GLOB (default: .github/workflows/*.y*ml)
  • TOP_N (default: 20)
  • OUTPUT_FORMAT (text or json, default: text)
  • WARN_SCORE (default: 3)
  • CRITICAL_SCORE (default: 7)
  • WORKFLOW_FILE_MATCH / WORKFLOW_FILE_EXCLUDE (regex, optional)
  • ALLOW_REF_REGEX (regex, optional) — allow-listed action refs
  • FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

WORKFLOW_GLOB='.github/workflows/*.yml' \
WARN_SCORE=3 \
CRITICAL_SCORE=7 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

JSON output + fail gate:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

Run against bundled fixtures:

WORKFLOW_GLOB='skills/github-actions-oidc-hardening-audit/fixtures/*.y*ml' \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

Output contract

  • Exit 0 in reporting mode (default)
  • Exit 1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical
  • Text mode prints summary + top risky workflows
  • JSON mode prints summary + flagged workflows + critical workflows

Comments

Loading comments...