Claude Code Skills·Claude Skills·The open SKILL.md registry for Claude
ClaudSkills / Security / security-misc

Github Actions Hardening

Category: Security  ·  Sub-category: security-misc  ·  Last updated:
tool:githubtype:audittype:review
Security hardening reviewer for GitHub Actions workflow files (.github/workflows/*.yml). Reasons about the Actions threat model that pattern matchers and general code linters miss — untrusted-input script injection, privileged triggers running fork code, mutable action references, and over-scoped tokens. Use this skill when asked to review, audit, harden, or secure a GitHub Actions workflow, when writing a new workflow, or for any request like "is this workflow safe?", "review my CI for security issues", "why is pull_request_target dangerous here?", "pin my actions", or "lock down GITHUB_TOKEN permissions". Covers script injection via ${{ }} interpolation, pull_request_target / workflow_run privilege escalation, SHA-pinning of third-party actions, least-privilege permissions, GITHUB_ENV/GITHUB_OUTPUT injection, secret exposure, OIDC over long-lived credentials, and self-hosted runner exposure on public repositories.
Security AStatic scan found no risk patternsHow grading works ›

From the source SKILL.md

A focused security reviewer for GitHub Actions workflows. It reasons about the Actions-specific threat model — where trust boundaries live in trigger types, token scopes, and string interpolation — rather than the application-code vulnerabilities a general security scanner looks for. Most workflow risks are invisible to language linters because the dangerous code is the YAML itself and the way GitHub expands ${{ }} expressions into a shell before your script runs.

What this skill does

Github Actions Hardening is a community-contributed Claude Code skill in the security-misc sub-category. It ships as a SKILL.md file that Claude Code auto-discovers under ~/.claude/skills/github-actions-hardening/ and loads when your prompt matches the skill's trigger.

Who uses this skill

The Github Actions Hardening Claude Code skill is built for security engineers, penetration testers, DevSecOps practitioners, and development teams hardening codebases and infrastructure. It's part of ClaudSkills (also referred to as Claude Skills or Claude Code Skills) — the open community-curated registry of 146,000+ SKILL.md files for Anthropic's Claude Code agent and the wider Claude ecosystem (Claude API, Claude Agent SDK).

How to install

Free

Manual install (2 steps)

mkdir -p ~/.claude/skills/github-actions-hardening
curl -L https://claudskills.com/skills/github-actions-hardening/SKILL.md \
  -o ~/.claude/skills/github-actions-hardening/SKILL.md

Or just download SKILL.md directly and drop it into ~/.claude/skills/github-actions-hardening/. Claude Code auto-discovers it on next session.

Skills live at ~/.claude/skills/github-actions-hardening/SKILL.md on macOS/Linux, or %USERPROFILE%\.claude\skills\github-actions-hardening\SKILL.md on Windows. See the full install guide for step-by-step instructions.

Telegram

📱 Install from your phone or desktop Telegram

Open @claudskills_bot on Telegram, tap Open Desktop App, and the desktop app installs this skill for you. Or share the bot link with a colleague — they get the same one-tap install. Learn more →

Pro

One-click install via the desktop app

The ClaudSkills desktop app installs any skill directly into ~/.claude/skills/ with one click — no terminal required. Pro starts at $9/mo or $149 lifetime.

Pro

For the full experience including quality scoring and one-click install features for each skill — upgrade to Pro.

Frequently asked questions

How do I install the Github Actions Hardening Claude Code skill?
Install via the ClaudSkills desktop app (one click) or copy SKILL.md from the source repository to ~/.claude/skills/github-actions-hardening/SKILL.md and restart Claude Code. Both flows are detailed at claudskills.com/install/.
What does the Github Actions Hardening skill do?
Security hardening reviewer for GitHub Actions workflow files (.github/workflows/*.yml). Reasons about the Actions threat model that pattern matchers and general code linters miss — untrusted-input script injection, privileged triggers running fork code, mutable action references, and over-scoped tokens. Use this skill when asked to review, audit, harden, or secure a GitHub Actions workflow, when writing a new workflow, or for any request like "is this workflow safe?", "review my CI for security issues", "why is pull_request_target dangerous here?", "pin my actions", or "lock down GITHUB_TOKEN permissions". Covers script injection via ${{ }} interpolation, pull_request_target / workflow_run privilege escalation, SHA-pinning of third-party actions, least-privilege permissions, GITHUB_ENV/GITHUB_OUTPUT injection, secret exposure, OIDC over long-lived credentials, and self-hosted runner exposure on public repositories.
Is this skill free to install?
Yes. ClaudSkills is an open registry — every skill keeps its source repository's license, and manual install via copy is free. ClaudSkills Pro ($9/mo, $79/yr, or $149 one-time) adds one-click install via the desktop app and a multi-signal Quality Score.
When should I use the Github Actions Hardening skill?
Use Github Actions Hardening when your Claude Code task falls under the Security category — specifically in the security misc area. Claude Code auto-discovers installed skills and invokes the right one based on the task description, so you can also ask Claude directly (e.g. "use Github Actions Hardening" or describe the task and let Claude pick). Browse related skills at /category/security/.
What is a Claude Code skill and how does the Github Actions Hardening skill fit in?
A Claude Code skill is a SKILL.md file that lives under ~/.claude/skills/<name>/ and tells the Claude Code CLI agent how to perform a specific task (instructions, prompts, allowed tools). Skills are auto-discovered at session start. Github Actions Hardening is one of 67,000+ skills indexed in the open ClaudSkills catalog, classified under the Security category. Learn more at /learn/what-is-a-claude-skill/.

Attribution & license

Cite this skill

If you reference this skill in a blog post, paper, or documentation, you can cite it as:

APA
github. (2026). Github Actions Hardening [Claude Code skill]. ClaudSkills. https://claudskills.com/skills/github-actions-hardening/
BibTeX
@misc{github-actions-hardening-2026,
  author    = {github},
  title     = {Github Actions Hardening [Claude Code skill]},
  year      = {2026},
  publisher = {ClaudSkills},
  url       = {https://claudskills.com/skills/github-actions-hardening/}
}

Embed this skill

Promote, attribute, or link this skill from your own README, blog post, or documentation. All three snippets are free to use — no sign-up, no API key. More distribution surfaces →

Badge
[![ClaudSkills](https://claudskills.com/badge/github-actions-hardening.svg)](https://claudskills.com/skills/github-actions-hardening/?utm_source=badge&utm_medium=readme&utm_campaign=skill_badge)
<script>
<script src="https://claudskills.com/embed/github-actions-hardening.js" async></script>
<iframe>
<iframe src="https://claudskills.com/embed/github-actions-hardening.html" width="100%" height="160" frameborder="0" loading="lazy" title="ClaudSkills: Github Actions Hardening"></iframe>

Security scan

Grade A · scanned 2026-07-06 — free static scan against the OWASP Agentic Skills Top 10.

No risk patterns were found in any of the ten OWASP-aligned categories. How grading works ›

Show this grade on your repo (click to copy):

[![Security: A](https://img.shields.io/badge/Security-A-2e7d32)](https://claudskills.com/skills/github-actions-hardening/#security)

Free. No spam. Unsubscribe in one click.

More Security skills

Browse all Security skills in the ClaudSkills registry, or explore these other picks from the same category:

Browse all Security skills → Top 100 skills
Part of ClaudSkills — the open registry for Claude Skills & Claude Code Skills.  ·  What's New  ·  Install guide  ·  About  ·  llms.txt

Part of Acreator Store — Adam Lankamer's AI tools: PerfectStudio · Ucaption · UTagger · AutoXPoster · TestYourSkills · AutomationFlows · Au Naturel · Telegram @acreatorstore