agentic-actions-auditor
Static security analysis for GitHub Actions workflows invoking AI coding agents.
- Detects nine attack vectors where attacker-controlled input reaches AI agents in CI/CD pipelines, including env var intermediaries, direct expression injection, CLI data fetches, dangerous sandbox configs, and wildcard user allowlists
- Scans
.github/workflows/for Claude Code Action, Gemini CLI, OpenAI Codex, and GitHub AI Inference steps; resolves one level of composite actions and reusable workflows - Captures security context from step configuration (
with:blocks), workflow triggers, environment variables, and permissions to trace data flow from GitHub event context to AI prompts - Produces structured findings reports with severity judgment, YAML evidence, annotated data flow traces, and action-specific remediation guidance
Agentic Actions Auditor
Static security analysis guidance for GitHub Actions workflows that invoke AI coding agents. This skill teaches you how to discover workflow files locally or from remote GitHub repositories, identify AI action steps, follow cross-file references to composite actions and reusable workflows that may contain hidden AI agents, capture security-relevant configuration, and detect attack vectors where attacker-controlled input reaches an AI agent running in a CI/CD pipeline.
When to Use
- Auditing a repository's GitHub Actions workflows for AI agent security
- Reviewing CI/CD configurations that invoke Claude Code Action, Gemini CLI, or OpenAI Codex
- Checking whether attacker-controlled input can reach AI agent prompts
- Evaluating agentic action configurations (sandbox settings, tool permissions, user allowlists)
- Assessing trigger events that expose workflows to external input (
pull_request_target,issue_comment, etc.) - Investigating data flow from GitHub event context through
env:blocks to AI prompt fields
When NOT to Use
- Analyzing workflows that do NOT use any AI agent actions (use general Actions security tools instead)
- Reviewing standalone composite actions or reusable workflows outside of a caller workflow context (use this skill when analyzing a workflow that references them via
uses:) - Performing runtime prompt injection testing (this is static analysis guidance, not exploitation)
- Auditing non-GitHub CI/CD systems (Jenkins, GitLab CI, CircleCI)
More from trailofbits/skills
ask-questions-if-underspecified
Clarify requirements before implementing. Use when serious doubts arise.
4.2Ksemgrep
>-
3.8Kmodern-python
Configures Python projects with modern tooling (uv, ruff, ty). Use when creating projects, writing standalone scripts, or migrating from pip/Poetry/mypy/black.
3.8Kcodeql
>-
3.6Kinsecure-defaults
Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.
3.5Ksecure-workflow-guide
Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.
3.4K