The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes the find command to discover GitHub Action workflow definitions within the repository. \n- [COMMAND_EXECUTION]: It executes the GitHub CLI (gh api) to interact with the official GitHub API to retrieve repository release details and resolve tag references to specific commit SHAs. \n- [PROMPT_INJECTION]: The skill ingests untrusted data from repository files, including workflow YAML files and configuration manifests like package.json or go.mod. While no explicit boundary markers are used to isolate these inputs, the risk is mitigated as the skill's logic is constrained to extracting structured version strings and resolving them into SHAs, lacking capabilities for arbitrary execution of ingested content. \n- [SAFE]: All network operations are conducted through the well-known GitHub CLI tool and directed at legitimate GitHub API endpoints to fetch public versioning metadata. \n- [SAFE]: The skill is designed specifically to implement supply-chain security best practices by hardening GitHub Action references against tag-moving attacks.

pin-github-actions