gh-actions-validator
Validate use when validating GitHub Actions workflows for Google Cloud and Vertex AI deployments. Trigger with phrases like "validate github actions", "setup workload identity federation", "github actions security", "deploy agent with ci/cd", or "automate vertex ai deployment". Enforces Workload Identity Federation (WIF), validates OIDC permissions, ensures least privilege IAM, and implements security best practices.
61
53%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/devops/jeremy-github-actions-gcp/skills/gh-actions-validator/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its niche at the intersection of GitHub Actions, Google Cloud/Vertex AI, and security validation. It provides explicit trigger phrases, lists concrete capabilities, and is distinctive enough to avoid conflicts with related but different skills. The only minor issue is the slightly awkward opening 'Validate use when validating' which is redundant, but it doesn't materially harm the description's effectiveness.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Enforces Workload Identity Federation (WIF)', 'validates OIDC permissions', 'ensures least privilege IAM', and 'implements security best practices'. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (validates GitHub Actions workflows, enforces WIF, validates OIDC permissions, ensures least privilege IAM) and 'when' (explicit trigger phrases provided with 'Trigger with phrases like...' and 'Use when validating GitHub Actions workflows'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms: 'validate github actions', 'setup workload identity federation', 'github actions security', 'deploy agent with ci/cd', 'automate vertex ai deployment'. These cover multiple natural phrasings a user might use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche combining GitHub Actions + Google Cloud/Vertex AI + security validation (WIF, OIDC, IAM). This is unlikely to conflict with generic CI/CD skills or generic cloud deployment skills due to the very specific domain intersection. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a skeleton outline rather than actionable guidance. It lacks executable code, concrete commands, specific validation logic, and meaningful examples. The workflow steps are abstract descriptions that don't tell Claude what to actually do, and the Output section contains incomplete YAML fragments that serve no practical purpose.
Suggestions
Replace the abstract Instructions checklist with concrete, executable steps—e.g., provide actual grep/regex patterns to detect service account key usage, specific YAML structures to validate, and gcloud commands for WIF setup.
Add a complete, copy-paste-ready example workflow YAML in the Output section showing a properly configured WIF-based deployment to Vertex AI.
Include explicit validation checkpoints with feedback loops—e.g., 'Run this command to verify WIF is configured correctly; if it fails with error X, do Y.'
Remove the Prerequisites section (Claude knows what gcloud CLI is) and replace with a concise 'Required setup' one-liner listing only non-obvious requirements like specific IAM roles needed.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The Prerequisites section explains things Claude already knows (what gcloud CLI is, that billing needs to be enabled). The Instructions section is a vague checklist that adds little actionable value. The Output section is incomplete fragments that waste tokens without being useful. | 1 / 3 |
Actionability | No executable code, no concrete commands, no specific validation logic. The Instructions are abstract descriptions ('Scan .github/workflows/ for security issues') rather than concrete steps. The Output section contains incomplete YAML fragments that are not copy-paste ready or executable. | 1 / 3 |
Workflow Clarity | The 8-step workflow is a vague checklist with no validation checkpoints, no feedback loops, and no concrete sequencing. For a skill involving security auditing and deployment (potentially destructive operations), there are no verification steps or error recovery paths described in the body itself. | 1 / 3 |
Progressive Disclosure | References to external files (errors.md, examples.md, wif-setup.md) are present and one-level deep, which is good structure. However, no bundle files exist to back these references, and the main body lacks sufficient overview content to stand on its own—it's too thin to be a useful entry point. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.