api-server-mcp
vmain
io.github.xberg-io/xberg/api-server-mcp
REST API server and MCP protocol integration
io.github.github/awesome-copilot/github-actions-hardening · vmain
Security hardening reviewer for GitHub Actions workflow files (.github/workflows/*.yml). Reasons about the Actions threat model that pattern matchers and general code linters miss — untrusted-input script injection, privileged triggers running fork code, mutable action references, and over-scoped tokens. Use this skill when asked to review, audit, harden, or secure a GitHub Actions workflow, when writing a new workflow, or for any request like "is this workflow safe?", "review my CI for security issues", "why is pull_request_target dangerous here?", "pin my actions", or "lock down GITHUB_TOKEN permissions". Covers script injection via ${{ }} interpolation, pull_request_target / workflow_run privilege escalation, SHA-pinning of third-party actions, least-privilege permissions, GITHUB_ENV/GITHUB_OUTPUT injection, secret exposure, OIDC over long-lived credentials, and self-hosted runner exposure on public repositories.
热度数据
github-actions-hardening 是一个Agent Skill,收录自 SkillsMP。本页提供 Cursor、Claude Code 等客户端的安装配置片段。
Agent Skill 是带 SKILL.md 的指令包。安装后,AI 会根据 description 在匹配任务时自动加载,无需每次手动粘贴提示词。
选择你的平台查看安装方式
选择安装方式
# 改 -a 切换客户端:cursor | claude-code | codex | github-copilot
npx skills add github/awesome-copilot@github-actions-hardening -a cursor -y安装完成后,在对话中直接描述你的任务(或提及技能名称)。Agent 会先读取 SKILL.md 的 description 判断是否启用,再按其中的步骤执行。可用 /skills(Claude Code)或在设置中查看已加载的 Skills。
vmain
io.github.xberg-io/xberg/api-server-mcp
REST API server and MCP protocol integration
vmain
io.github.UitbreidenOS/UitKit/css-resets-initial-layout-structures
Guidelines and instructions for CSS resets initial layout structures
vmain
io.github.khalilbenaz/claude-skills-collection/css-layout-solver
Résout les problèmes de layout CSS avec Flexbox, Grid et techniques modernes. Se déclenche avec "CSS", "layout", "Flexbox", "Grid", "centrer", "aligner", "responsive", "mon layout est cassé", "overflow", "z-index".
vmain
io.github.zekdevs/pi-config/kubernetes-debug
Inspect pod logs, analyze resource quotas, trace network policies, check deployment rollout status, and run cluster health checks for Kubernetes. Use this skill when diagnosing Kubernetes cluster issues, debugging failing pods, investigating network connectivity problems, analyzing resource usage, troubleshooting deployments, or performing cluster health checks.
vdev
io.github.ethereum/ethereum-org-website/design-system
Use when building, refactoring, or styling any UI in the ethereum.org Next.js site (`src/components/`, `app/`, `src/styles/`, `public/content/`, or any `.tsx`/`.mdx`/`.css` change that affects the rendered UI). Provides canonical component choices, design tokens, RTL/i18n rules, server/client guidance, and the "use a variant, not a new component" pattern for the project's Tailwind v4 + Radix + shadcn-style design system.
vmaster
io.github.PostHog/posthog/writing-skills
Guide for writing PostHog agent skills — job-to-be-done templates that teach agents how to use MCP tools to achieve a goal. Use when adding new product functionality that agents should know how to work with, creating a new skill, or updating existing skills in products/*/skills/.
{
"id": "io.github.github/awesome-copilot/github-actions-hardening",
"type": "skill",
"version": "main",
"displayName": "github-actions-hardening",
"description": "Security hardening reviewer for GitHub Actions workflow files (.github/workflows/*.yml). Reasons about the Actions threat model that pattern matchers and general code linters miss — untrusted-input script injection, privileged triggers running fork code, mutable action references, and over-scoped tokens. Use this skill when asked to review, audit, harden, or secure a GitHub Actions workflow, when writing a new workflow, or for any request like \"is this workflow safe?\", \"review my CI for security issues\", \"why is pull_request_target dangerous here?\", \"pin my actions\", or \"lock down GITHUB_TOKEN permissions\". Covers script injection via ${{ }} interpolation, pull_request_target / workflow_run privilege escalation, SHA-pinning of third-party actions, least-privilege permissions, GITHUB_ENV/GITHUB_OUTPUT injection, secret exposure, OIDC over long-lived credentials, and self-hosted runner exposure on public repositories.",
"author": {
"name": "github",
"url": "https://github.com/github"
},
"repository": {
"url": "https://github.com/github/awesome-copilot",
"source": "github",
"subfolder": "skills/github-actions-hardening"
},
"homepage": "https://skillsmp.com/creators/github/awesome-copilot/skills-github-actions-hardening",
"distribution": {
"packages": [
{
"registryType": "source",
"identifier": "github/awesome-copilot@github-actions-hardening",
"version": "main",
"runtimeHint": "npx skills add"
}
],
"remotes": []
},
"dependencies": [],
"installTargets": [
"claude-code",
"claude-desktop",
"cursor",
"codex",
"vscode"
],
"keywords": [
"repo_stars:35624"
],
"provenance": {
"origin": "skillsmp",
"originalId": "github-awesome-copilot-skills-github-actions-hardening-skill-md",
"originalUrl": "https://skillsmp.com/creators/github/awesome-copilot/skills-github-actions-hardening",
"isOfficial": false,
"status": "active"
}
}