一键在 Manus 中运行任何 Skill

github-actions-security

Apply a comprehensive GitHub Actions security checklist to audit, harden, and fix CI/CD workflows against supply chain attacks. Use this skill whenever the user mentions GitHub Actions security, workflow hardening, CI/CD supply chain risks, secret exposure in pipelines, pinning actions, OIDC vs static secrets, pull_request_target risks, script injection in workflows, self-hosted runner security, or artifact/cache poisoning. Also trigger when the user shares a workflow YAML file and wants it reviewed, audited, or improved for security. Even if the user only asks a narrow question like "is my workflow safe?" or "how do I pin actions?", use this skill to provide structured, checklist-backed guidance.

在 Manus 中运行

概览

安装命令

npx skills add https://github.com/daedalus/skills --skill github-actions-security

复制此命令并粘贴到 Claude Code 中以安装该技能

来源

daedalus/skills

星标1

分支0

更新时间2026年5月15日 16:41

SKILL.md

readonly

同仓库更多 Skills

同仓库

ai-code-review

daedalus/skills

Orchestrate multi-agent AI code review on a git diff or merge request. Use this skill whenever the user wants to review code changes with AI, analyze a diff, audit a pull request or merge request, check for bugs/security issues/performance problems, or set up an automated code review pipeline. Trigger even for casual phrasing like "can you review this PR", "check my diff for issues", "look over these changes", or "what do you think of this code change". Always use this skill when code review, diff analysis, or MR/PR review is involved — do not attempt ad-hoc review without it. Do NOT trigger for reviewing prose, essays, documentation-only files, or non-code content.

2026-05-301

adhd-reasoning-mode

daedalus/skills

Apply exploratory, curiosity-driven reasoning inspired by ADHD-associated cognitive traits — including curiosity-biased attention, associative jumps across distant domains, interrupt-driven anomaly detection, hyperfocus under uncertainty, and parallel weak-stream ideation. Use this skill whenever the user asks for: creative brainstorming, cross-domain analogies, unconventional problem-solving, research hypothesis generation, adversarial/security thinking, scientific discovery tasks, or any time the user says "think outside the box", "what am I missing", "explore weird angles", "be creative", "ADHD mode", or "exploratory reasoning". Also trigger when a conventional answer would be too narrow, too domain-local, or when the problem space benefits from wide associative search before convergence. Trigger mid-task too: if reasoning has stayed in one domain for several steps without surprise, this skill applies even if it wasn't requested upfront.

2026-05-281

python-project-scaffold

daedalus/skills

Full Python project bootstrapping workflow. Use this skill whenever the user wants to build a new Python tool, library, CLI, or module from scratch — especially when they mention "create X", "build X in Python", "write a Python project for X", or ask for a proper project with tests, linting, versioning, or git setup. Triggers on any request to scaffold, initialize, or structure a new Python project. Even if the user only says "build me X in Python", apply this skill — it encodes the full professional workflow: SPEC → implementation → pytest → README → lint → git. Always use this skill rather than improvising a one-off script when the deliverable is a reusable project.

2026-05-261

alphaproof-nexus

daedalus/skills

Knowledge scaffold for building, using, or reasoning about AlphaProof Nexus — Google DeepMind's LLM-aided formal proof search system (arXiv:2605.22763). Always use this skill for ANY of the following: AI-driven theorem proving in Lean 4, reproducing or extending the AlphaProof Nexus agent architecture, solving open mathematics problems with formal verification, integrating evolutionary algorithms with LLM proof search, applying the system to Erdős problems / OEIS conjectures / algebraic geometry / optimization / graph theory, understanding the EVOLVE-BLOCK / EVOLVE-VALUE prompt interface, comparing the four agent configurations (A/B/C/D), or the Elo/P-UCB sketch rating mechanism. Also trigger for adjacent queries like "automate math research with AI", "connect Lean compiler feedback to an LLM loop", "cheapest way to prove hard math with AI", "reproduce a DeepMind theorem prover", "LLM + formal verification pipeline", or anything about AlphaProof, AlphaEvolve applied to proofs, or the Formal Conjectures benchm

2026-05-241

os-bootstrap

daedalus/skills

Bootstrap the creation of a POSIX-like operating system kernel from scratch. Use this skill whenever someone wants to build, start, or plan a kernel or OS — including requests like "help me write an OS", "I want to build a kernel", "start an operating system project", "implement POSIX syscalls", "build a process scheduler", "write a VFS layer", "implement memory management for my kernel", "create a bootable system", or any request involving kernel internals (interrupts, paging, scheduling, file systems, system calls). Also trigger when someone wants to extend an existing hobby OS with a new kernel subsystem. This skill covers both project scaffolding AND deep technical implementation guidance — use it for either or both.

2026-05-241

ai-code-detection

daedalus/skills

Detect whether a piece of code or an entire software project was written by a human, AI, or some hybrid thereof. Use this skill whenever the user wants to audit a file, snippet, repo, or commit history for AI authorship signals; phrases like "is this AI-generated", "was this written by ChatGPT", "detect LLM code", "human or AI?", "check for AI authorship", "is this vibe-coded", or any request to judge, score, or explain the provenance of code. Also trigger when the user pastes code and asks "did a human write this?" or "does this look AI-generated?" — even casually phrased.

2026-05-191

来源

daedalus

daedalus/skills

打开 GitHub 仓库查看创作者相关仓库

安装命令

下载

在 Manus 中运行

适用职业SOC

信息安全分析师计算机与数学类职业15-1212L4

name

github-actions-security

description

GitHub Actions Security Skill

A practical skill for auditing and hardening GitHub Actions workflows against supply chain attacks, secret theft, poisoned pipeline execution, and excessive token permissions.

Source reference

Based on: https://corgea.com/learn/github-actions-security-checklist
Also informed by: GitHub's 2026 Actions security roadmap, OpenSSF, OWASP CI/CD Top 10, and GitHub Security Lab guidance on preventing pwn requests.

When the user shares a workflow file

Read the YAML carefully.
Check it against all 10 checklist areas below.
Report findings grouped by risk area with severity (Critical / High / Medium / Low).
Provide concrete fixed snippets for every finding.
Summarize with a prioritized remediation list.

The five controls to always check first

Before anything else, verify these five — they cover the highest-impact failures:

#	Control	Why it matters
1	`GITHUB_TOKEN` permissions set to read-only by default	Limits blast radius of any compromised job
2	Third-party actions pinned to full commit SHA	Tags are mutable and can be hijacked
3	No `pull_request_target` for public repos or fork PRs	Runs privileged context on untrusted code
4	All PR/issue/commit metadata treated as untrusted input	Branch names and PR titles can inject shell commands
5	OIDC used for cloud access instead of static secrets	Short-lived credentials sharply reduce secret theft value

Full checklist (10 areas)

1. Organization and repository defaults

Workflow token permissions set to read-only by default
"Allow GitHub Actions to create and approve pull requests" is disabled
Fork PR workflow approval set to "Require approval for all outside collaborators" in Settings → Actions → Fork pull request workflows
Allowed actions restricted to GitHub-owned, verified creators, or an explicit allowlist
.github/workflows/ covered by CODEOWNERS
Branch protection / repository rulesets require PR review, block force pushes, require status checks, dismiss stale approvals

2. Explicit workflow permissions

permissions: declared at workflow or job level (not relying on defaults)
Write scopes granted only to jobs that need them
id-token: write granted only to OIDC jobs, not globally
Read-only validation separated from privileged publishing jobs

Minimal safe pattern:

permissions: {}         # deny all at workflow level

jobs:
  build:
    permissions:
      contents: read    # grant only what this job needs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@<full-commit-sha>

Trusted-build / privileged-publish split pattern:

Run untrusted code in a pull_request workflow (no secrets, read-only), then publish only after CI passes via a workflow_run workflow that holds credentials:

# workflow-ci.yml — triggered by pull_request, no secrets, read-only
on: [pull_request]
jobs:
  test:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
      - run: npm test

# workflow-publish.yml — triggered only after CI passes on main
on:
  workflow_run:
    workflows: ["CI"]
    types: [completed]
    branches: [main]
jobs:
  publish:
    if: github.event.workflow_run.conclusion == 'success'
    permissions:
      contents: write
      id-token: write
    environment: production
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
      - run: npm publish

3. Dangerous triggers and untrusted execution paths

pull_request_target avoided in public repos; if used, never checks out or executes PR head code without maintainer review
workflow_run workflows check the upstream event before privileged actions
issue_comment, pull_request_review, pull_request_review_comment triggers audited for privilege
pull_request used for untrusted fork code (withholds secrets and write permissions by default)
Stale PRs closed or rebased after fixing a vulnerable workflow

workflow_run guard pattern: A workflow_run job runs with the base repo's full permissions even when the upstream workflow was triggered by a fork PR. Always check the upstream trigger and repo before taking any privileged action:

# ❌ Dangerous: privileged job runs regardless of what triggered upstream
on:
  workflow_run:
    workflows: ["CI"]
    types: [completed]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - run: ./deploy.sh  # runs even for fork PRs!

# ✅ Guard with explicit checks before privileged steps
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Abort if triggered by a fork PR
        if: |
          github.event.workflow_run.event == 'pull_request' &&
          github.event.workflow_run.head_repository.full_name != github.repository
        run: |
          echo "Refusing to run privileged job for fork PR"
          exit 1
      - run: ./deploy.sh  # only reached for internal PRs or push events

4. Script injection prevention

Untrusted values include: branch names, PR titles/bodies, issue titles/bodies, labels, comments, commit messages, artifact contents from untrusted workflows.

Never interpolate untrusted context directly into run: blocks:

# ❌ Unsafe
- run: echo "Branch is ${{ github.head_ref }}"

# ✅ Safe — pass through environment variable
- run: echo "Branch is $BRANCH"
  env:
    BRANCH: ${{ github.head_ref }}

Checklist:

Untrusted context passed through environment variables, not inline ${{ }}
Shell variables quoted when used
Purpose-built actions preferred over inline shell for parsing untrusted input
No untrusted data written to GITHUB_ENV or GITHUB_PATH
No untrusted data written to GITHUB_OUTPUT or GITHUB_STEP_SUMMARY
Artifact contents from PR workflows treated as attacker-controlled

5. Third-party action pinning

All third-party actions pinned to full commit SHA (not a tag or branch)
SHA verified to belong to the original repo, not a fork
Preference for GitHub-owned or verified creator actions
Transitive action dependencies reviewed — a pinned top-level action can still call nested actions by mutable tag; review the action's own action.yml for uses: references in composite steps, or use zizmor/actionlint to detect transitive unpinned references
Dependabot or Renovate configured to update SHAs through reviewed PRs
Dependency graph and Dependabot alerts enabled for actions

Example:

# ❌ Mutable tag — can be moved by attacker
- uses: actions/checkout@v4

# ✅ Immutable SHA
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

6. Secret hygiene

Secrets scoped to environments with protection rules and required reviewers for production
Secrets passed only to the specific step that needs them (not job-level env:)
Secrets never passed as command-line arguments (use env vars)
Secrets (including encoded or transformed forms) never echoed
secrets: inherit avoided in reusable workflows; only named secrets passed
Stale secrets rotated and removed

7. OIDC for cloud credentials

Cloud trust policies configured with repo, branch, environment, and workflow constraints
id-token: write granted only to the job that exchanges the token
Cloud roles limited to the exact operation (deploy, publish, etc.)
Environment approvals required for production OIDC jobs

AWS IAM trust policy — scoped to a specific repo and environment:

{
  "Condition": {
    "StringEquals": {
      "token.actions.githubusercontent.com:sub":
        "repo:myorg/myrepo:environment:production",
      "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
    }
  }
}

⚠️ Avoid StringLike with wildcards unless you explicitly need flexibility. repo:myorg/* trusts every repository in the org — a compromised repo becomes a path to production credentials. Prefer exact repo:org/repo:environment:name claims.

8. Runner hardening

Self-hosted runners not used for public repositories
Ephemeral or just-in-time runners used for sensitive private workflows (destroyed after one job)
Runner groups separated by trust level (public / private / release / production)
Runner network egress restricted to required endpoints only
Runner registrations and unexpected public repo creation monitored

9. Artifacts, caches, and release workflows

Artifact uploads scoped to explicit paths (not path: .)
.env, keys, credentials, and generated configs excluded from artifact uploads
persist-credentials: false set on actions/checkout unless later steps need the token
Untrusted artifacts extracted outside the workspace to a temporary directory
Secrets and release credentials not cached
Caches avoided in privileged release workflows
Provenance and attestations used for package releases where supported

Cache poisoning: Cache keys are deterministic (e.g. based on hashFiles('**/package-lock.json')), so a fork PR can compute the same key, write a poisoned cache entry first, and have it restored by your privileged release workflow. Mitigate by scoping cache keys to protected branches and never restoring caches in release jobs:

# Scope cache key to the current branch — fork PRs write to a different key
- uses: actions/cache@<sha>
  with:
    path: ~/.npm
    key: ${{ runner.os }}-${{ github.ref }}-${{ hashFiles('**/package-lock.json') }}

10. Continuous detection

Workflow linting in CI using both complementary tools:
- actionlint — syntax validation, shellcheck integration, expression type checking; catches malformed workflows and shell errors
- zizmor — security-focused; catches unsafe interpolation, dangerous triggers, unpinned actions
OpenSSF Scorecard run to surface supply chain posture across the repo
Code scanning enabled for workflow vulnerabilities (CodeQL supports common patterns)
Action dependency changes reviewed in PRs like application dependency updates
Alerts on failed attempts to use blocked actions or unpinned references
Incident playbook documented: disable workflows → revoke tokens → rotate secrets → block actions → inspect runner activity

Rollout order for hardening many repos

Inventory — workflows with write permissions, secrets, release jobs, self-hosted runners, public fork triggers
Org defaults — read-only token permissions, action restrictions, CODEOWNERS, PR approval protections
High-risk patterns — pull_request_target, workflow_run, untrusted interpolation, GITHUB_ENV, broad secret exposure
Pin actions — convert mutable references to full SHAs, add Dependabot/Renovate
OIDC migration — start with production deploy and package publish workflows
Monitoring — workflow linting, dependency alerts, audit logs, runner registration alerts

Severity classification guide

Severity	Examples
Critical	`pull_request_target` checking out fork head; secrets in `run:` args; unpinned third-party action on a release job
High	Script injection via `${{ github.head_ref }}` in `run:`; `write-all` permissions; self-hosted runner on public repo
Medium	Missing `permissions:` block; `secrets: inherit`; no CODEOWNERS on workflows
Low	Broad artifact upload; missing `persist-credentials: false`; stale secrets not rotated

github-actions-security

GitHub Actions Security Skill

Source reference

When the user shares a workflow file

The five controls to always check first

Full checklist (10 areas)

1. Organization and repository defaults

2. Explicit workflow permissions

3. Dangerous triggers and untrusted execution paths

4. Script injection prevention

5. Third-party action pinning

6. Secret hygiene

7. OIDC for cloud credentials

8. Runner hardening

9. Artifacts, caches, and release workflows

10. Continuous detection

Rollout order for hardening many repos

Severity classification guide

Key external references

GitHub Actions Security Skill

Source reference

When the user shares a workflow file

The five controls to always check first

Full checklist (10 areas)

1. Organization and repository defaults

2. Explicit workflow permissions

3. Dangerous triggers and untrusted execution paths

4. Script injection prevention

5. Third-party action pinning

6. Secret hygiene

7. OIDC for cloud credentials

8. Runner hardening

9. Artifacts, caches, and release workflows

10. Continuous detection

Rollout order for hardening many repos

Severity classification guide

Key external references