endor-ghactions
Scan a repository's GitHub Actions workflows for insecure patterns and vulnerable third-party action versions using Endor Labs. Use when the user says "scan GitHub Actions", "workflow security", "endor ghactions", "insecure CI workflow", "vulnerable action version", "harden my GHA workflows", or focuses on `.github/workflows` without asking for a full dependency or secrets scan. Do NOT use for combined supply chain reports (/endor-supply-chain), generic quick scans (/endor-scan), adding Endor to pipelines (/endor-cicd), or dependency-only checks (/endor-check).
72
88%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific capabilities, comprehensive trigger terms covering natural user language, explicit 'Use when' and 'Do NOT use' clauses, and clear boundaries distinguishing it from related skills. The negative boundary definitions referencing other skill paths are particularly effective for disambiguation.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists concrete actions: 'Scan a repository's GitHub Actions workflows for insecure patterns and vulnerable third-party action versions using Endor Labs.' This clearly describes specific capabilities including scanning for insecure patterns and vulnerable action versions. | 3 / 3 |
Completeness | Clearly answers both 'what' (scan GitHub Actions workflows for insecure patterns and vulnerable third-party action versions) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Additionally includes explicit 'Do NOT use' guidance with references to other skills, which further strengthens completeness. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'scan GitHub Actions', 'workflow security', 'endor ghactions', 'insecure CI workflow', 'vulnerable action version', 'harden my GHA workflows', and '.github/workflows'. These cover both natural user language and technical terms users would actually say. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche (GitHub Actions security scanning specifically). The explicit 'Do NOT use' clause with references to related but distinct skills (/endor-supply-chain, /endor-scan, /endor-cicd, /endor-check) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, actionable skill with a clear multi-step workflow, comprehensive error handling, and a detailed output template. Its main weaknesses are moderate verbosity (the report template and patterns section are lengthy inline) and references to bundle files that don't exist in the provided bundle. The actionability and workflow clarity are strong points.
Suggestions
Consider moving the full report template and 'Patterns to highlight' section into a separate reference file (e.g., `references/ghactions-report-template.md`) to reduce inline verbosity and improve progressive disclosure.
Ensure referenced files (`references/reachability-tags.md`, `references/data-sources.md`) are included in the bundle, or remove the references if they don't exist.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient and avoids explaining basic concepts, but includes some sections that could be tightened — e.g., the 'Patterns to highlight' section is somewhat verbose and partially redundant with the findings table, and the 'Next Steps' section lists related skills that could be more compact. | 2 / 3 |
Actionability | Provides concrete MCP tool parameters (path, scan_types, scan_options), a complete CLI fallback command, specific resource retrieval instructions, and a fully structured output template with exact markdown formatting. The guidance is specific and executable. | 3 / 3 |
Workflow Clarity | The four-step workflow is clearly sequenced with explicit validation: Step 1 checks for prerequisites, Step 2 runs the scan with specific parameters, Step 3 retrieves details, and Step 4 presents results. Error handling is comprehensive with a dedicated table mapping errors to actions, and the skill distinguishes between 'no workflows present' vs 'clean workflows' — a meaningful validation checkpoint. | 3 / 3 |
Progressive Disclosure | The skill references `references/reachability-tags.md` and `references/data-sources.md` but no bundle files are provided, making it impossible to verify these references resolve. The content itself is reasonably structured but the report template is quite long and could potentially be split into a reference file, keeping the SKILL.md leaner. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
b958adc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.