CtrlK
BlogDocsLog inGet started
Tessl Logo

agentic-actions-auditor

Audits GitHub Actions workflows for security vulnerabilities in AI agent integrations including Claude Code Action, Gemini CLI, OpenAI Codex, and GitHub AI Inference. Detects attack vectors where attacker-controlled input reaches. AI agents running in CI/CD pipelines.

63

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The methodology is highly actionable and clearly sequenced with explicit checkpoints, and it correctly pushes detail to reference files. Its weaknesses are length/conciseness for an overview and a progressive-disclosure gap: the referenced bundle files are absent and significant detail remains inline.

Suggestions

Provide the missing referenced files under `references/` (foundations.md, cross-file-resolution.md, action-profiles.md, vector-a..i-*.md) or remove the dangling references, since the progressive-disclosure promise is currently unfulfilled.

Move the detailed report-formatting rules (sections 5a–5g) and the per-action field tables into a reference file, keeping SKILL.md as a lean overview.

Tighten the "Rationalizations to Reject" section or relocate it to a reference so the core methodology overview stays lean.

DimensionReasoningScore

Conciseness

The body assumes Claude's competence (no basic explanations of YAML, GitHub Actions, or PDFs) and pushes per-vector/per-action detail to references, but the ~320-line overview still carries substantial inline content (sections 5a–5g report formatting, full rationalizations, per-action field tables) that could be tightened or split out.

2 / 3

Actionability

Provides fully executable guidance: concrete `gh api` commands with `--jq` filters, Glob patterns, a known AI-action reference table with prefix-matching rules, per-action input fields, and a per-vector quick-check table — copy-paste ready.

3 / 3

Workflow Clarity

Steps 0–5 are explicitly sequenced ("Follow these steps in order. Each step builds on the previous one.") with stop conditions ("If no workflow files are found... stop"), error handling for 401/404, and a depth-1 limit; the read-only audit nature makes destructive-operation feedback loops inapplicable.

3 / 3

Progressive Disclosure

References are clearly signaled and one level deep ("See {baseDir}/references/cross-file-resolution.md", vector files, action-profiles.md), but the referenced `references/` directory does not exist in the bundle and the body keeps a large amount of detail inline rather than splitting it out.

2 / 3

Total

10

/

12

Passed

Description

72%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description identifies a clear, distinctive niche and includes natural trigger terms, but it omits an explicit "Use when" clause and its actions are generic verbs rather than a concrete enumeration. A mid-sentence period ("reaches. AI agents") also disrupts readability.

Suggestions

Add an explicit trigger clause, e.g. "Use when auditing GitHub Actions workflows that invoke AI coding agents, or when the user mentions Claude Code Action, Gemini CLI, OpenAI Codex, or GitHub AI Inference in CI/CD."

Fix the sentence break so it reads "where attacker-controlled input reaches AI agents running in CI/CD pipelines" (remove the stray period).

Replace generic verbs ("Audits", "Detects") with a few concrete operations to lift specificity, e.g. "Discovers workflow files, identifies AI action steps, traces cross-file references, and reports injection vectors."

DimensionReasoningScore

Specificity

Names the domain and four concrete integrations ("Claude Code Action, Gemini CLI, OpenAI Codex, and GitHub AI Inference") plus two actions ("Audits...", "Detects attack vectors"), but the verbs are generic and the sentence is garbled ("reaches. AI agents running"), so it does not enumerate multiple distinct concrete operations like the level-3 anchor.

2 / 3

Completeness

It clearly states what the skill does ("Audits...", "Detects attack vectors") but has no "Use when..." clause or equivalent explicit trigger guidance, which caps completeness at 2 per the guidelines.

2 / 3

Trigger Term Quality

Good coverage of natural terms a user would say when requesting this audit: "GitHub Actions workflows", "Claude Code Action", "Gemini CLI", "OpenAI Codex", "CI/CD pipelines", and "security vulnerabilities".

3 / 3

Distinctiveness Conflict Risk

The niche is highly specific — static security analysis of GitHub Actions workflows that invoke named AI coding agents — and the named integrations form distinct triggers unlikely to conflict with other skills.

3 / 3

Total

10

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
sickn33/antigravity-awesome-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.