Official Verified

github-actions-cache-hardening-audit

Audit GitHub Actions workflow cache usage for poisoning, keying, and secret-path risks.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/daniellummis/github-actions-cache-hardening-audit

Download Source Code (.zip)

GitHub Actions Cache Hardening Audit

Use this skill to statically audit .github/workflows/*.yml for risky cache patterns that can cause cache poisoning, stale cache churn, or secret leakage.

What this skill checks

actions/cache usage on untrusted triggers (pull_request_target)
Cache keys that do not use hashFiles(...)
Overly broad restore-keys prefixes
Sensitive paths accidentally included in cache paths (.aws, .ssh, .npmrc, .git)
Floating cache action refs (@main, @master)

Inputs

Optional:

WORKFLOW_GLOB (default: .github/workflows/*.y*ml)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
WARN_SCORE (default: 3)
CRITICAL_SCORE (default: 6)
WORKFLOW_FILE_MATCH (regex, optional)
WORKFLOW_FILE_EXCLUDE (regex, optional)
FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

WORKFLOW_GLOB='.github/workflows/*.yml' \
bash skills/github-actions-cache-hardening-audit/scripts/cache-hardening-audit.sh

JSON output + fail gate:

WORKFLOW_GLOB='.github/workflows/*.yml' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-cache-hardening-audit/scripts/cache-hardening-audit.sh

Run against bundled fixtures:

WORKFLOW_GLOB='skills/github-actions-cache-hardening-audit/fixtures/*.yml' \
bash skills/github-actions-cache-hardening-audit/scripts/cache-hardening-audit.sh

Output contract

Exit 0 by default (report mode)
Exit 1 when FAIL_ON_CRITICAL=1 and at least one critical workflow is detected
Text mode prints a summary and top flagged workflows
JSON mode emits summary, flagged_workflows, and critical_workflows

Read Full Documentation on GitHub

Metadata

Author@daniellummis

Stars3376

Updated2026-03-24

View Author Profile

AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill

Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-daniellummis-github-actions-cache-hardening-audit": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.

Related Skills

github-actions-recovery-latency-audit

Measure GitHub Actions failure recovery latency and unresolved incident age by workflow group.

daniellummis 3376

render-env-guard

Preflight-check Render service environment variables before deploys; catches missing keys and placeholder/template values that commonly break production rollouts.

daniellummis 3376

github-actions-trigger-health-audit

Audit GitHub Actions run health by trigger event and workflow so flaky or noisy automation sources are easy to prioritize.

daniellummis 3376

github-actions-cancel-waste-audit

Audit cancelled and timed-out GitHub Actions runs from JSON exports to surface wasted CI minutes and noisy workflows.

daniellummis 3376

github-actions-run-gap-audit

Detect GitHub Actions workflow groups that stopped running on their normal cadence using median run intervals and current inactivity gap.

daniellummis 3376