agentic-actions-auditor
Audits GitHub Actions workflows for security vulnerabilities in AI agent integrations including Claude Code Action, Gemini CLI, OpenAI Codex, and GitHub AI Inference. Detects attack vectors where attacker-controlled input reaches. AI agents running in CI/CD pipelines.
86
83%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, specific description that clearly identifies its domain (GitHub Actions security for AI agent integrations) and names concrete tools and attack patterns. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The description also has some minor formatting issues with extra spaces.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when reviewing GitHub Actions workflows for security issues, auditing CI/CD pipelines that invoke AI agents, or when the user mentions prompt injection risks in automated workflows.'
Clean up extra whitespace in the description (e.g., 'including Claude Code Action, Gemini CLI' has double spaces) for better readability.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: audits GitHub Actions workflows, detects security vulnerabilities in AI agent integrations, names specific tools (Claude Code Action, Gemini CLI, OpenAI Codex, GitHub AI Inference), and identifies specific attack vectors (attacker-controlled input reaching AI agents in CI/CD pipelines). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (audits workflows for security vulnerabilities, detects attack vectors), but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'GitHub Actions', 'security', 'vulnerabilities', 'AI agent', 'CI/CD', 'Claude Code Action', 'Gemini CLI', 'OpenAI Codex', 'attack vectors', 'workflows'. These are terms a user concerned about CI/CD security would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: specifically targets security auditing of AI agent integrations in GitHub Actions workflows. The combination of CI/CD security + AI agents + named tools creates a very clear, unique domain unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, highly actionable security audit skill with excellent progressive disclosure and clear workflow sequencing. The methodology is concrete with specific commands, tables, and decision criteria at every step. Minor verbosity in the introductory sections and rationalizations could be tightened, but the complexity of the domain largely justifies the length.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is thorough but includes some verbose sections that could be tightened. The 'Rationalizations to Reject' section, while useful, explains concepts at length. The 'When to Use' and 'When NOT to Use' sections have some redundancy. However, most content earns its place given the complexity of the domain. | 2 / 3 |
Actionability | Highly actionable with concrete commands (gh api calls with exact syntax), specific matching rules for action references, detailed tables of fields to capture, and precise detection heuristics. The step-by-step methodology provides executable guidance at every stage, from URL parsing to report generation. | 3 / 3 |
Workflow Clarity | The 5-step methodology is clearly sequenced with explicit dependencies ('Each step builds on the previous one'). Validation checkpoints are present: Step 1 stops if no workflows found, Step 2 stops if no AI actions found. Error handling for remote analysis is explicit. The cross-file resolution has a depth limit. Report structure includes clear decision criteria for severity judgment. | 3 / 3 |
Progressive Disclosure | Excellent progressive disclosure structure. The main skill provides a complete methodology overview while deferring detailed content to well-signaled reference files: action-profiles.md, foundations.md, individual vector files (vector-a through vector-i), and cross-file-resolution.md. References are one level deep and clearly signaled with full paths. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
b739683
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.