Zum Hauptinhalt springen
Dieser Inhalt ist noch nicht in Ihrer Sprache verfügbar und wird auf Englisch angezeigt.

Agentic Actions Auditor

Plugin Aktiv
Teil von:Trailofbits

Audits GitHub Actions workflows for security vulnerabilities in AI agent integrations (Claude Code Action, Gemini CLI, OpenAI Codex, GitHub AI Inference)

1 Skill 0 MCPs
Zweck

To help security auditors and developers identify and remediate security risks in GitHub Actions workflows that integrate AI agents, ensuring secure CI/CD pipelines.

Funktionen

  • Audits GitHub Actions workflows for AI agent security vulnerabilities
  • Detects specific attack vectors like env var intermediary, direct expression injection, and wildcard allowlists
  • Supports multiple AI agent integrations (Claude Code, Gemini CLI, OpenAI Codex, GitHub AI Inference)
  • Provides detailed findings with impact, evidence, data flow, and remediation guidance

Anwendungsfälle

  • Auditing CI/CD pipelines that use AI agents for security risks
  • Reviewing GitHub Actions workflow configurations for prompt injection vulnerabilities
  • Ensuring secure defaults for AI-assisted code review and agentic actions
  • Assessing the security impact of attacker-controlled input on AI agents running in CI

Nicht-Ziele

  • Performing runtime prompt injection testing or exploitation
  • Auto-fixing or modifying workflow files
  • Auditing non-GitHub CI/CD systems
  • Analyzing workflows that do not use AI agent actions

Trust

  • warning:Issues AttentionThere are 13 open issues and 4 closed issues in the last 90 days, indicating slow issue closure and potential maintainer bottleneck.

Installation

Zuerst Marketplace hinzufügen

/plugin marketplace add trailofbits/skills
/plugin install agentic-actions-auditor@trailofbits

Enthält 1 Erweiterungen

Skill (1)

Agentic Actions Auditor Skill

Audits GitHub Actions workflows for security vulnerabilities in AI agent integrations including Claude Code Action, Gemini CLI, OpenAI Codex, and GitHub AI Inference. Detects attack vectors where attacker-controlled input reaches AI agents running in CI/CD pipelines, including env var intermediary patterns, direct expression injection, dangerous sandbox configurations, and wildcard user allowlists. Use when reviewing workflow files that invoke AI coding agents, auditing CI/CD pipeline security for prompt injection risks, or evaluating agentic action configurations.

99

Qualitätspunktzahl

75 /100
Analysiert about 12 hours ago

Vertrauenssignale

Letzter Commit3 days ago
GitHub-Inhaber trailofbits (opens in new tab)
Sterne5.2k
LizenzCC-BY-SA-4.0
Status
Quellcode ansehen

Ähnliche Erweiterungen

Agent Almanac

99

350 agentic skills across 64 domains, 72 agent personas, and 16 team compositions following the agentskills.io open standard

Plugin
pjt222

Ruflo Security Audit

99

Security review, dependency scanning, policy gates, and CVE monitoring

Plugin
ruvnet

Shell Scripting Plugins

99

Production-grade Bash scripting with defensive programming, POSIX compliance, and comprehensive testing

Plugin
wshobson

Review Agent Governance

99

Require a human approval signal before an AI agent can post PR reviews, comments, merges, or writes to CI config. Cedar-gated, receipt-signed, designed for the Hermes-style failure mode where a review bot posts without oversight.

Plugin
wshobson

Performance Testing Review

99

Performance analysis, test coverage review, and AI-powered code quality assessment

Plugin
wshobson

Comprehensive Review

99

Multi-perspective code analysis covering architecture, security, and best practices

Plugin
wshobson