github-actions-permission-scope-audit

What This Skill Does

The github-actions-permission-scope-audit skill is a robust security auditing tool designed to maintain the principle of least privilege within your GitHub Actions infrastructure. By default, GitHub Actions workflows often inherit excessive permissions, which can lead to significant security risks if a repository is compromised. This skill automatically scans your workflow YAML files to identify these over-broad settings. It detects patterns like 'write-all', dangerous write permissions on sensitive scopes, and risky configurations such as the pull_request_target event when combined with write access. By flagging workflows that lack explicit permission blocks or those using default, insecure settings, the skill provides a clear audit trail for developers to remediate vulnerabilities before they are exploited in production environments.

Installation

To install this skill, use the OpenClaw CLI tool within your terminal. Execute the following command from the root of your project directory:

clawhub install openclaw/skills/skills/daniellummis/github-actions-permission-scope-audit

Ensure that you have the necessary repository access and that the OpenClaw environment is correctly initialized before attempting the installation. Once installed, the skill scripts will be available in your local skills/ directory, ready to be invoked via shell commands.

Use Cases

• Automated Security Gates: Integrate the skill into your CI/CD pipeline to fail builds that contain high-risk workflow permissions.
• Compliance Audits: Generate comprehensive JSON reports to provide evidence to security teams that your workflows adhere to least-privilege standards.
• Refactoring Workflows: Use the audit report to identify where specific permissions can be narrowed down from 'write' to 'read' or explicitly restricted.
• Onboarding/Code Review: Quickly scan new contributions to ensure no developer has inadvertently added a workflow with dangerous permission scopes.

Example Prompts

1. "OpenClaw, please audit all workflow files in the repository for risky permission scopes and provide a text summary of the findings."
2. "Run the permission scope audit on the current workflow directory. If any critical risks are found, fail the process and list the specific lines in the YAML files that need adjustment."
3. "Execute a security audit of our GitHub Actions configuration, outputting the result as JSON so I can process the data in our internal dashboard."

Tips & Limitations

• Permissions Depth: While the tool is excellent at identifying high-level permission drifts, always perform a manual review of complex workflows that involve multi-stage jobs.
• Regex Matching: Utilize the WORKFLOW_FILE_MATCH and PERMISSION_MATCH flags to narrow your audit scope if you are working in a large, multi-repository project.
• CI Integration: Use FAIL_ON_CRITICAL=1 in your CI environment to ensure no insecure configurations slip past your deployment gates.
• Limitations: The skill is designed specifically for YAML-based GitHub Actions; it does not audit external systems or third-party actions that might have their own independent permission requirements.