ClawHub

GitHub Actions Step Flake Audit

v1.0.0

Detect flaky GitHub Actions job steps by finding mixed success/failure conclusions across runs.

0· 218·1 current·1 all-time
byDaniel Lummis@daniellummis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the implementation: the script aggregates step outcomes from GitHub Actions run JSON files and scores flaky steps. Small mismatch: SKILL.md shows how to obtain JSON with `gh run view`, but the skill does not declare `gh` as a required binary or try to call `gh` itself — it only reads pre-collected JSON files. This is a minor documentation vs. requirement inconsistency, not a functional problem.
Instruction Scope
Runtime instructions and the script operate on local JSON files (RUN_GLOB) and only inspect fields in those files. The script reads, parses, filters, aggregates, and prints results or exits non-zero when FAIL_ON_CRITICAL is set. It does not attempt to read other system files, access network endpoints, or export data externally.
Install Mechanism
There is no install spec (instruction-only plus a bundled script), so nothing is downloaded or installed by the skill. Required binaries are minimal (bash, python3) and match the provided script.
Credentials
The skill requests no environment variables or credentials. It accepts many optional runtime variables (regex filters, thresholds) which are reasonable for its purpose. There are no secret-like env vars declared or accessed.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify agent system configuration. It runs as a one-off script operating on files the user supplies.
Assessment
This skill analyzes local GitHub Actions run JSON exports and does not send data out or require credentials. Before running: 1) ensure RUN_GLOB points only to intended artifact files (avoid broad globs that might match sensitive JSON), 2) if you want to collect runs using the `gh` example in SKILL.md, run that yourself — the skill does not call `gh` and does not declare it as a dependency, and 3) inspect any real run JSONs to confirm they don't contain sensitive secrets you don't want processed or stored. Otherwise the tool appears coherent and appropriate for its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk9733snw8n45p2p8npz6qn3a8d82egw2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbash, python3

Comments