How should GitHub Workflow Security be evaluated before use?

Use the required flow: snapshot, contract, and trust before recommending or executing this skill.

What kind of evidence is visible on this page?

This page surfaces public facts, change history, trust indicators, artifact evidence, and benchmark summaries with provenance.

Crawler Summary

GitHub Workflow Security answer-first brief

Automatically scan and harden GitHub Actions workflow files by adding security configurations and pinning action versions to immutable commit SHAs --- name: GitHub Workflow Security description: Automatically scan and harden GitHub Actions workflow files by adding security configurations and pinning action versions to immutable commit SHAs --- GitHub Workflow Security [!NOTE] **Skills Home Directory**: $SKILL_GH_WS_HOME = ~/.gemini/antigravity/skills This skill automatically scans and hardens GitHub Actions workflow files by adding security configurations and p Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.

Freshness

Last checked 4/15/2026

Best For

GitHub Workflow Security is best for workflow, github, add workflows where OpenClaw compatibility matters.

Not Ideal For

Contract metadata is missing or unavailable for deterministic execution.

Evidence Sources Checked

editorial-content, GITHUB OPENCLEW, runtime-metrics, public facts pack

Card Facts Snapshot Contract Trust

Claim this agent

Agent DossierGitHubSafety: 94/100

GitHub Workflow Security

OpenClawself-declared

Public facts

Change events

Artifacts

Freshness

Apr 15, 2026

Verifiededitorial-contentNo verified compatibility signals

Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.

Trust evidence available

Trust score

Unknown

Compatibility

OpenClaw

Freshness

Apr 15, 2026

Vendor

Micytoy

Artifacts

Benchmarks

Last release

Unpublished

Executive Summary

Key links, install path, and a quick operational read before the deeper crawl record.

Verifiededitorial-content

Summary

Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.

View Source

Setup snapshot

git clone https://github.com/MicyToy/github-workflow-security.git

1
Setup complexity is LOW. This package is likely designed for quick installation with minimal external side-effects.
2
Final validation: Expose the agent to a mock request payload inside a sandbox and trace the network egress before allowing access to real customer data.

Evidence Ledger

Everything public we have scraped or crawled about this agent, grouped by evidence type with provenance.

Verifiededitorial-content

Vendor (1)

Vendor

Micytoy

profilemedium

Observed Apr 15, 2026Source link Provenance

Compatibility (1)

Protocol compatibility

OpenClaw

contractmedium

Observed Apr 15, 2026Source link Provenance

Security (1)

Handshake status

UNKNOWN

trustmedium

Observed unknownSource link Provenance

Integration (1)

Crawlable docs

6 indexed pages on the official domain

search_documentmedium

Observed Apr 15, 2026Source link Provenance

Release & Crawl Timeline

Merged public release, docs, artifact, benchmark, pricing, and trust refresh events.

Self-declaredagent-index

Docs Update

Docs refreshed: Sign in to GitHub · GitHub

search_documentmedium

Fresh crawlable documentation was indexed for the official domain.

Observed Apr 15, 2026

Artifacts Archive

Extracted files, examples, snippets, parameters, dependencies, permissions, and artifact metadata.

Self-declaredGITHUB OPENCLEW

Extracted files

Examples

Snippets

Languages

typescript

Parameters

Executable Examples

yaml

permissions:
       contents: read

bash

python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py

text

⚠️ Found unmapped actions - consider adding to mapping table:
- some/action@v1 → some/action@abc123... # v1.2.3

To get commit hash and save to mapping table:
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/get-action-commit.py some/action v1 --save

bash

# Basic usage - harden all workflows with default permissions
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py

# Custom permissions
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py \
  --permissions "permissions:\n  contents: read\n  pull-requests: write\n"

# Specify workflow directory
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py \
  --dir .github/workflows

bash

# Query commit hash
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/get-action-commit.py actions/checkout v4

# Query and save to mapping table
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/get-action-commit.py actions/checkout v4 --save

text

User: Use the github-workflow-security skill to scan and harden all workflows

Agent: I'll harden your GitHub Actions workflows for improved security.

[Executes: python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py]

Agent: ✅ Successfully hardened 3 workflow files:
- Added permissions to 1 workflow
- Pinned 12 action versions to commit SHAs

Would you like me to review the changes?

Docs & README

Full documentation captured from public sources, including the complete README when available.

Self-declaredGITHUB OPENCLEW

Docs source

GITHUB OPENCLEW

Editorial quality

ready

Full README

name: GitHub Workflow Security description: Automatically scan and harden GitHub Actions workflow files by adding security configurations and pinning action versions to immutable commit SHAs

GitHub Workflow Security

[!NOTE] Skills Home Directory: $SKILL_GH_WS_HOME = ~/.gemini/antigravity/skills

This skill automatically scans and hardens GitHub Actions workflow files by adding security configurations and pinning action versions to immutable commit SHAs to improve supply chain security.

When to Activate

This skill should be activated when the user mentions:

workflow security / workflow 安全
github actions security / GitHub Actions 安全
action commit hash / action 提交哈希
workflow permissions / workflow 权限
harden workflow / 加固 workflow
scan workflow / 扫描 workflow
supply chain security for GitHub Actions

Core Functionality

1. Scan GitHub Workflow Files

Automatically find all YAML files in .github/workflows/
Parse workflows to identify security issues
Support both .yml and .yaml formats

2. Add/Check Permissions Configuration

Check if workflow has permissions field
If missing, add minimal permissions:
```
permissions:
  contents: read
```
If custom permissions needed, use user-specified configuration
Skip if permissions already exist to avoid conflicts

3. Pin Action Versions to Commit SHAs

Replace mutable tags (e.g., @v4) with immutable commit SHAs
Format: actions/checkout@<commit-sha> # v4.3.1
Prevents tag manipulation and improves supply chain security
Maintains version comment for readability

4. Automatic Commit SHA Retrieval

Use mapping table from data/action-commit-map.json
For unmapped actions, automatically fetch from GitHub API
Report unmapped actions so user can add them to mapping table

Implementation Approach

When the user requests workflow hardening, follow these steps:

Step 1: Execute Hardening Script

Run the main hardening script from the skill's scripts directory:

python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py

Script Options:

--dir DIR: Specify workflow directory (default: .github/workflows)
--permissions PERMISSIONS: Custom permissions configuration
--map-file MAP_FILE: Path to action mapping JSON file

Default behavior:

Scans all workflow files in .github/workflows/
Adds permissions: { contents: read } if missing
Replaces action tags with commit SHAs
Reports statistics and unmapped actions

Step 2: Review Changes (Optional)

After execution, offer to review the changes:

Run git diff .github/workflows/ to show modifications
Ask if user wants AI to review the changes
If yes, analyze the diff to verify correctness and completeness

Step 3: Report Unmapped Actions

List any actions not in the mapping table:

⚠️ Found unmapped actions - consider adding to mapping table:
- some/action@v1 → some/action@abc123... # v1.2.3

To get commit hash and save to mapping table:
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/get-action-commit.py some/action v1 --save

Helper Scripts

All scripts are located in the skill's scripts directory: $SKILL_GH_WS_HOME/github-workflow-security/scripts/

Main Hardening Script

File: harden-workflows.py

Usage Examples:

# Basic usage - harden all workflows with default permissions
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py

# Custom permissions
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py \
  --permissions "permissions:\n  contents: read\n  pull-requests: write\n"

# Specify workflow directory
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py \
  --dir .github/workflows

Get Action Commit Hash

File: get-action-commit.py

Usage Examples:

# Query commit hash
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/get-action-commit.py actions/checkout v4

# Query and save to mapping table
python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/get-action-commit.py actions/checkout v4 --save

Output includes:

Action name and tag
Resolved version number
Full commit SHA
Formatted uses: statement
Mapping table format (for manual addition)

Usage Examples

Example 1: Basic Hardening

User: Use the github-workflow-security skill to scan and harden all workflows

Agent: I'll harden your GitHub Actions workflows for improved security.

[Executes: python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py]

Agent: ✅ Successfully hardened 3 workflow files:
- Added permissions to 1 workflow
- Pinned 12 action versions to commit SHAs

Would you like me to review the changes?

Example 2: Custom Permissions

User: Harden workflows with permissions for contents: read and pull-requests: write

Agent: I'll harden workflows with your custom permissions configuration.

[Executes: python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/harden-workflows.py \
  --permissions "permissions:\n  contents: read\n  pull-requests: write\n"]

Example 3: Add New Action to Mapping

User: Add actions/cache v4 to the mapping table

Agent: I'll query and save the commit hash for actions/cache v4.

[Executes: python3 $SKILL_GH_WS_HOME/github-workflow-security/scripts/get-action-commit.py actions/cache v4 --save]

Agent: ✅ Added actions/cache@v4 to mapping table:
- Commit SHA: 1234567890abcdef...
- Version: v4.1.0

Expected Output Format

When the hardening script runs, it produces output like:

🔍 Scanned 3 workflow files

📄 Processing file: .github/workflows/ci.yml
  ℹ️  Permissions already configured, skipping
  ✓ Replaced actions/checkout@v4 → 34e114876b0b... # v4.3.1
  ✓ Replaced docker/setup-buildx-action@v3 → 8d2750c68a42... # v3.12.0
  ✅ File updated

============================================================
📊 Processing Summary
============================================================
  Files scanned: 3
  Added permissions: 1
  Replaced action versions: 12

✅ All workflow files have been processed

Pre-mapped Actions

The mapping table at data/action-commit-map.json includes:

actions/checkout (v2, v3, v4)
actions/setup-java (v3, v4)
actions/setup-node (v4)
actions/cache (v4)
pnpm/action-setup (v2, v4)
docker/setup-buildx-action (v3)
docker/login-action (v3)
docker/build-push-action (v5)
stCarolas/setup-maven (v5)
whelk-io/maven-settings-xml-action (v22)

Important Notes

GitHub API Rate Limits: Unauthenticated requests limited to 60/hour. The mapping table helps avoid hitting this limit.
Git-Managed Changes: All modifications are tracked by Git - no additional backup needed before running.
Validation Required: After hardening, verify workflows still function correctly. Test in a feature branch first.
File Format Support: Works with both .yml and .yaml files.
Permissions Verification: Ensure added permissions meet actual workflow requirements. Too restrictive permissions may cause workflow failures.
Self-Contained: This skill is self-contained at $SKILL_GH_WS_HOME/github-workflow-security/.

Security Best Practices

Principle of Least Privilege: Only grant necessary permissions to workflows
Pin Versions: Always use commit SHAs instead of mutable tags
Regular Updates: Periodically check and update action versions to get security fixes
Audit Trail: Leverage Git history to track all modifications for compliance
Mapping Maintenance: Keep the mapping table up to date with latest stable versions
Review Changes: Always review modifications before committing to main branch
Test First: Test hardened workflows in a feature branch before merging

Error Handling

Common issues and solutions:

Script not found: Ensure the skill is correctly installed at $SKILL_GH_WS_HOME/github-workflow-security/
API rate limit exceeded: Wait for rate limit reset (1 hour) or:
- Use authenticated GitHub API calls (set GITHUB_TOKEN environment variable)
- Pre-populate mapping table for your commonly used actions
Invalid workflow syntax: The script will report parsing errors
- Fix YAML syntax issues manually
- Validate with: actionlint .github/workflows/*.yml
Network issues: If GitHub API is unreachable:
- Retry after network is restored
- Manually add commit SHA to mapping table
Permission denied: Ensure scripts have execute permissions:
- Run: chmod +x $SKILL_GH_WS_HOME/github-workflow-security/scripts/*.py

Follow-up Actions

After successfully hardening workflows, recommend:

Review changes: Offer to review the git diff
Test workflows: Suggest running workflows in a test branch
Add unmapped actions: Help user add any unmapped actions to mapping table
Documentation: Mention updating project documentation about pinned versions
Periodic audits: Recommend scheduling periodic security reviews
CI/CD integration: Suggest adding automated security checks to CI pipeline

Contract & API

Machine endpoints, protocol fit, contract coverage, invocation examples, and guardrails for agent-to-agent use.

MissingGITHUB OPENCLEW

Endpoints

Dossier API Snapshot API Contract API Trust API

Contract coverage

Status

missing

Auth

None

Streaming

Data region

Unspecified

Protocol support

OpenClaw: self-declared

Requires: none

Forbidden: none

Guardrails

Operational confidence: low

No positive guardrails captured.

Invocation examples

curl -s "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/snapshot"

curl -s "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/contract"

curl -s "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/trust"

Reliability & Benchmarks

Trust and runtime signals, benchmark suites, failure patterns, and practical risk constraints.

Missingruntime-metrics

Trust signals

Handshake

UNKNOWN

Confidence

unknown

Attempts 30d

unknown

Fallback rate

unknown

Runtime metrics

Observed P50

unknown

Observed P95

unknown

Rate limit

unknown

Estimated cost

unknown

Do not use if

Contract metadata is missing or unavailable for deterministic execution.

No benchmark suites or observed failure patterns are available.

Media & Demo

Every public screenshot, visual asset, demo link, and owner-provided destination tied to this agent.

Missingno-media

No screenshots, media assets, or demo links are available.

Related Agents

Neighboring agents from the same protocol and source ecosystem for comparison and shortlist building.

Self-declaredprotocol-neighbors

GITHUB_REPOSactivepieces

Rank

AI Agents & MCPs & AI Workflow Automation • (~400 MCP servers for AI agents) • AI Automation / AI Agent with MCPs • AI Workflows & AI Agents • MCPs for AI Agents

Traction

No public download signal

Freshness

Updated 2d ago

OPENCLAW

GITHUB_REPOScherry-studio

Rank

AI productivity studio with smart chat, autonomous agents, and 300+ assistants. Unified access to frontier LLMs

Traction

No public download signal

Freshness

Updated 5d ago

MCPOPENCLAW

GITHUB_REPOSAionUi

Rank

Free, local, open-source 24/7 Cowork app and OpenClaw for Gemini CLI, Claude Code, Codex, OpenCode, Qwen Code, Goose CLI, Auggie, and more | 🌟 Star if you like it!

Traction

No public download signal

Freshness

Updated 6d ago

MCPOPENCLAW

GITHUB_REPOSCopilotKit

Rank

The Frontend for Agents & Generative UI. React + Angular

Traction

No public download signal

Freshness

Updated 23d ago

OPENCLAW

Machine Appendix

Contract JSON

{
  "contractStatus": "missing",
  "authModes": [],
  "requires": [],
  "forbidden": [],
  "supportsMcp": false,
  "supportsA2a": false,
  "supportsStreaming": false,
  "inputSchemaRef": null,
  "outputSchemaRef": null,
  "dataRegion": null,
  "contractUpdatedAt": null,
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Invocation Guide

{
  "preferredApi": {
    "snapshotUrl": "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/snapshot",
    "contractUrl": "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/contract",
    "trustUrl": "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/trust"
  },
  "curlExamples": [
    "curl -s \"https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/snapshot\"",
    "curl -s \"https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/contract\"",
    "curl -s \"https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/trust\""
  ],
  "jsonRequestTemplate": {
    "query": "summarize this repo",
    "constraints": {
      "maxLatencyMs": 2000,
      "protocolPreference": [
        "OPENCLEW"
      ]
    }
  },
  "jsonResponseTemplate": {
    "ok": true,
    "result": {
      "summary": "...",
      "confidence": 0.9
    },
    "meta": {
      "source": "GITHUB_OPENCLEW",
      "generatedAt": "2026-04-17T01:42:27.913Z"
    }
  },
  "retryPolicy": {
    "maxAttempts": 3,
    "backoffMs": [
      500,
      1500,
      3500
    ],
    "retryableConditions": [
      "HTTP_429",
      "HTTP_503",
      "NETWORK_TIMEOUT"
    ]
  }
}

Trust JSON

{
  "status": "unavailable",
  "handshakeStatus": "UNKNOWN",
  "verificationFreshnessHours": null,
  "reputationScore": null,
  "p95LatencyMs": null,
  "successRate30d": null,
  "fallbackRate": null,
  "attempts30d": null,
  "trustUpdatedAt": null,
  "trustConfidence": "unknown",
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Capability Matrix

{
  "rows": [
    {
      "key": "OPENCLEW",
      "type": "protocol",
      "support": "unknown",
      "confidenceSource": "profile",
      "notes": "Listed on profile"
    },
    {
      "key": "workflow",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    },
    {
      "key": "github",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    },
    {
      "key": "add",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    },
    {
      "key": "and",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    },
    {
      "key": "both",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    }
  ],
  "flattenedTokens": "protocol:OPENCLEW|unknown|profile capability:workflow|supported|profile capability:github|supported|profile capability:add|supported|profile capability:and|supported|profile capability:both|supported|profile"
}

Facts JSON

[
  {
    "factKey": "docs_crawl",
    "category": "integration",
    "label": "Crawlable docs",
    "value": "6 indexed pages on the official domain",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  },
  {
    "factKey": "vendor",
    "category": "vendor",
    "label": "Vendor",
    "value": "Micytoy",
    "href": "https://github.com/MicyToy/github-workflow-security",
    "sourceUrl": "https://github.com/MicyToy/github-workflow-security",
    "sourceType": "profile",
    "confidence": "medium",
    "observedAt": "2026-04-15T02:14:22.913Z",
    "isPublic": true
  },
  {
    "factKey": "protocols",
    "category": "compatibility",
    "label": "Protocol compatibility",
    "value": "OpenClaw",
    "href": "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/contract",
    "sourceUrl": "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/contract",
    "sourceType": "contract",
    "confidence": "medium",
    "observedAt": "2026-04-15T02:14:22.913Z",
    "isPublic": true
  },
  {
    "factKey": "handshake_status",
    "category": "security",
    "label": "Handshake status",
    "value": "UNKNOWN",
    "href": "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/trust",
    "sourceUrl": "https://xpersona.co/api/v1/agents/micytoy-github-workflow-security/trust",
    "sourceType": "trust",
    "confidence": "medium",
    "observedAt": null,
    "isPublic": true
  }
]

Change Events JSON

[
  {
    "eventType": "docs_update",
    "title": "Docs refreshed: Sign in to GitHub · GitHub",
    "description": "Fresh crawlable documentation was indexed for the official domain.",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  }
]