endor-ghactions

Scan a repository's GitHub Actions workflows for insecure patterns and vulnerable third-party action versions using Endor Labs. Use when the user says "scan GitHub Actions", "workflow security", "endor ghactions", "insecure CI workflow", "vulnerable action version", "harden my GHA workflows", or focuses on `.github/workflows` without asking for a full dependency or secrets scan. Do NOT use for combined supply chain reports (/endor-supply-chain), generic quick scans (/endor-scan), adding Endor to pipelines (/endor-cicd), or dependency-only checks (/endor-check).

Quality

88%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured, actionable skill with a clear multi-step workflow, comprehensive error handling, and a detailed output template. Its main weaknesses are moderate verbosity (the report template and patterns section are lengthy inline) and references to bundle files that don't exist in the provided bundle. The actionability and workflow clarity are strong points.

Suggestions

Consider moving the full report template and 'Patterns to highlight' section into a separate reference file (e.g., `references/ghactions-report-template.md`) to reduce inline verbosity and improve progressive disclosure.

Ensure referenced files (`references/reachability-tags.md`, `references/data-sources.md`) are included in the bundle, or remove the references if they don't exist.

Dimension	Reasoning	Score
Conciseness	The skill is mostly efficient and avoids explaining basic concepts, but includes some sections that could be tightened — e.g., the 'Patterns to highlight' section is somewhat verbose and partially redundant with the findings table, and the 'Next Steps' section lists related skills that could be more compact.	2 / 3
Actionability	Provides concrete MCP tool parameters (path, scan_types, scan_options), a complete CLI fallback command, specific resource retrieval instructions, and a fully structured output template with exact markdown formatting. The guidance is specific and executable.	3 / 3
Workflow Clarity	The four-step workflow is clearly sequenced with explicit validation: Step 1 checks for prerequisites, Step 2 runs the scan with specific parameters, Step 3 retrieves details, and Step 4 presents results. Error handling is comprehensive with a dedicated table mapping errors to actions, and the skill distinguishes between 'no workflows present' vs 'clean workflows' — a meaningful validation checkpoint.	3 / 3
Progressive Disclosure	The skill references `references/reachability-tags.md` and `references/data-sources.md` but no bundle files are provided, making it impossible to verify these references resolve. The content itself is reasonably structured but the report template is quite long and could potentially be split into a reference file, keeping the SKILL.md leaner.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that hits all the marks. It provides specific capabilities, comprehensive trigger terms covering natural user language, explicit 'Use when' and 'Do NOT use' clauses, and clear boundaries distinguishing it from related skills. The negative boundary definitions referencing other skill paths are particularly effective for disambiguation.

Dimension	Reasoning	Score
Specificity	Lists concrete actions: 'Scan a repository's GitHub Actions workflows for insecure patterns and vulnerable third-party action versions using Endor Labs.' This clearly describes specific capabilities including scanning for insecure patterns and vulnerable action versions.	3 / 3
Completeness	Clearly answers both 'what' (scan GitHub Actions workflows for insecure patterns and vulnerable third-party action versions) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Additionally includes explicit 'Do NOT use' guidance with references to other skills, which further strengthens completeness.	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms: 'scan GitHub Actions', 'workflow security', 'endor ghactions', 'insecure CI workflow', 'vulnerable action version', 'harden my GHA workflows', and '.github/workflows'. These cover both natural user language and technical terms users would actually say.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche (GitHub Actions security scanning specifically). The explicit 'Do NOT use' clause with references to related but distinct skills (/endor-supply-chain, /endor-scan, /endor-cicd, /endor-check) makes it very unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: endorlabs/skills-ideas
Commit: b958adc

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.