github-actions-self-hosted-risk-audit

What This Skill Does

The github-actions-self-hosted-risk-audit skill is a specialized security tool designed to identify and mitigate critical vulnerabilities associated with self-hosted GitHub Actions runners. Because self-hosted runners often persist state and have broader network access than GitHub-managed runners, they are prime targets for malicious pull requests. This skill automatically scans your repository's .github/workflows/ directory to detect dangerous configurations. It identifies jobs tagged with self-hosted that lack sufficient routing labels, flags high-risk triggers such as pull_request_target or issue_comment which can lead to remote code execution (RCE) on the runner, and verifies that actions/checkout steps are configured with persist-credentials: false to prevent secret exfiltration. By applying a weighted scoring system, it helps developers prioritize remediation efforts on the most dangerous workflows first.

Installation

You can integrate this skill into your environment using the OpenClaw CLI. Run the following command in your terminal to fetch the latest version:

clawhub install openclaw/skills/skills/daniellummis/github-actions-self-hosted-risk-audit

Ensure that the directory structure is preserved and that the execution environment has read access to the target repository's workflow YAML files.

Use Cases

This skill is ideal for DevSecOps engineers, security researchers, and lead developers managing infrastructure as code. Typical use cases include:

• Automated Security Auditing: Running the audit during the pre-commit or CI phase to block the merge of insecure workflow configurations.
• Risk Posture Assessment: Periodic scanning of a large organization's repositories to identify legacy workflows that rely on insecure patterns.
• Compliance Reporting: Generating JSON reports to track the number of insecure self-hosted workflows over time and measure improvement in the codebase security posture.

Example Prompts

1. "OpenClaw, run the github-actions-self-hosted-risk-audit on the current repository and show me a text summary of the findings."
2. "Perform a security audit on all workflow files in the .github folder; if any critical vulnerabilities are detected, output the data as JSON and fail the job."
3. "Scan my repository for self-hosted runner risks, specifically looking for any workflows using 'pull_request_target' triggers without credential hardening."

Tips & Limitations

To get the best results, ensure your runner environment is isolated and consider using strict network egress controls alongside this audit. Note that this skill performs static analysis; while it identifies risky patterns, it cannot predict every possible runtime execution path of a complex script embedded within a workflow. Always review critical findings manually to confirm context-specific security controls are already in place, such as runner-level isolation or environment-based approvals.