CtrlK
BlogDocsLog inGet started
Tessl Logo

gh-actions-validator

Validate use when validating GitHub Actions workflows for Google Cloud and Vertex AI deployments. Trigger with phrases like "validate github actions", "setup workload identity federation", "github actions security", "deploy agent with ci/cd", or "automate vertex ai deployment". Enforces Workload Identity Federation (WIF), validates OIDC permissions, ensures least privilege IAM, and implements security best practices.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is organized into clear sections and is token-light, but the Instructions are vague one-liners, the Output section is broken/incomplete, validation checkpoints are absent, and several bundle files plus a dangling path are not properly surfaced. It is serviceable but needs concrete commands and tighter reference wiring.

Suggestions

Replace the abstract Instructions with concrete commands (e.g., the actual gcloud/gh invocations or a call to scripts/validate-workflow.sh) and make the Output section a complete, fenced, copy-paste-ready workflow YAML.

Add explicit validation checkpoints between steps (run validate-workflow.sh, confirm id-token: write and least-privilege IAM, fail the workflow on errors) so the audit-and-harden sequence has feedback loops.

Wire all bundle files into the body — reference ARD.md/PRD.md and setup-wif.sh/validate-workflow.sh from the relevant sections — and remove or create the non-existent docs/wif-setup.md path.

DimensionReasoningScore

Conciseness

The body is short and avoids concept-explaining fluff, but the 'Output' section is broken YAML fragments that consume tokens without adding usable value, and the terse one-line Instructions are lean at the cost of detail — 'mostly efficient' with wasted/incomplete content rather than every token earning its place.

2 / 3

Actionability

Instructions are abstract directives ('Scan .github/workflows/ for security issues', 'Ensure no JSON service account keys are used') rather than executable commands, and the 'Output' YAML is incomplete (a stray --project line outside any fence, missing steps); it names concrete checks but is not copy-paste ready, so it sits above the vague level but below executable.

2 / 3

Workflow Clarity

Eight numbered steps give a sequence, but there are no validation checkpoints for the audit/fix operations; per the rubric, missing validation for batch/hardening operations caps workflow clarity at 2 rather than the explicit-checkpoint level.

2 / 3

Progressive Disclosure

The body signals some real references (errors.md, examples.md), but bundle files ARD.md, PRD.md, setup-wif.sh and validate-workflow.sh are never referenced from the body, and a pointer to docs/wif-setup.md points to a non-existent file — structure is present but not cleanly signaled.

2 / 3

Total

8

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is well-crafted: it names concrete capabilities, supplies natural trigger phrases, answers both what and when explicitly, and occupies a distinct niche. A minor rough edge is the slightly awkward opening phrasing ('Validate use when validating...'), but it does not undermine the score.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'Enforces Workload Identity Federation (WIF), validates OIDC permissions, ensures least privilege IAM' — matching the multiple-specific-actions anchor, not the domain-and-some-actions level below.

3 / 3

Completeness

States what it does (validate/harden GitHub Actions→GCP/Vertex via WIF, OIDC, IAM) and when to use it via explicit 'Trigger with phrases like...' guidance, satisfying both what-and-when; not capped at 2 because an explicit trigger clause is present.

3 / 3

Trigger Term Quality

Provides a natural trigger phrase list ('validate github actions', 'setup workload identity federation', 'github actions security', 'deploy agent with ci/cd', 'automate vertex ai deployment') users would plausibly say, matching the good-coverage anchor.

3 / 3

Distinctiveness Conflict Risk

Targets a narrow niche (GitHub Actions deploying to GCP/Vertex AI via WIF) with distinctive triggers unlikely to collide with other skills, matching the clear-niche anchor.

3 / 3

Total

12

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
jeremylongshore/claude-code-plugins-plus-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.