endor-ghactions
Scan a repository's GitHub Actions workflows for insecure patterns and vulnerable third-party action versions using Endor Labs. Use when the user says "scan GitHub Actions", "workflow security", "endor ghactions", "insecure CI workflow", "vulnerable action version", "harden my GHA workflows", or focuses on `.github/workflows` without asking for a full dependency or secrets scan. Do NOT use for combined supply chain reports (/endor-supply-chain), generic quick scans (/endor-scan), adding Endor to pipelines (/endor-cicd), or dependency-only checks (/endor-check).
94
92%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific capabilities, comprehensive trigger terms covering natural user language, explicit 'Use when' and 'Do NOT use' clauses, and clear boundaries distinguishing it from related skills. The negative boundary definitions referencing other skill paths are particularly effective for disambiguation.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists concrete actions: 'Scan a repository's GitHub Actions workflows for insecure patterns and vulnerable third-party action versions using Endor Labs.' This clearly describes specific capabilities including scanning for insecure patterns and vulnerable action versions. | 3 / 3 |
Completeness | Clearly answers both 'what' (scan GitHub Actions workflows for insecure patterns and vulnerable third-party action versions) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Additionally includes explicit 'Do NOT use' guidance with references to other skills, which further strengthens completeness. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'scan GitHub Actions', 'workflow security', 'endor ghactions', 'insecure CI workflow', 'vulnerable action version', 'harden my GHA workflows', and '.github/workflows'. These cover both natural user language and technical terms users would actually say. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche (GitHub Actions security scanning specifically). The explicit 'Do NOT use' clause with references to related but distinct skills (/endor-supply-chain, /endor-scan, /endor-cicd, /endor-check) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted skill with strong actionability, clear multi-step workflow with validation checkpoints, and good progressive disclosure through references to related skills and documentation. The content is mostly concise but could trim some redundancy in the report template's 'Patterns to highlight' section and the scope table. Overall, it provides Claude with everything needed to execute a GitHub Actions security scan confidently.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient and avoids explaining concepts Claude already knows, but some sections are slightly verbose — e.g., the 'Patterns to highlight' section repeats what findings would already describe, and the scope table could be a single sentence. The report template is detailed but justified given the structured output requirement. | 2 / 3 |
Actionability | Provides concrete MCP tool parameters (path, scan_types, scan_options), a complete CLI fallback command, specific resource retrieval instructions with resource_type and uuid, and a fully structured markdown report template. Every step has executable, copy-paste-ready guidance. | 3 / 3 |
Workflow Clarity | The four-step workflow is clearly sequenced with explicit validation: Step 1 checks for prerequisites, Step 2 runs the scan with specific parameters and distinguishes no-workflows vs clean-workflows, Step 3 retrieves details per finding, and Step 4 presents results. Error handling table provides clear feedback loops for each failure mode. | 3 / 3 |
Progressive Disclosure | The skill is well-structured with clear sections (Scope, Workflow steps, Error Handling) and appropriately references external files (references/reachability-tags.md, references/data-sources.md) and related skills (/endor-fix, /endor-supply-chain, etc.) without nesting references more than one level deep. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
344e7ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.