GitHub Action that scans agent skills for security issues on every PR.
| Scanner | What It Catches |
|---|---|
| --------- | ----------------- |
| sentry | API keys, tokens, passwords, credentials in code |
| bastion | Prompt injection markers, shell injection patterns |
| egress | Suspicious network calls, data exfiltration patterns |
Add to .github/workflows/security.yml:
name: Security Scan
on:
pull_request:
paths:
- 'skills/**'
- '.openclaw/**'
push:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: AtlasPA/openclaw-action@v1
with:
workspace: '.'
fail-on-findings: 'true'
| Input | Default | Description |
|---|---|---|
| ------- | --------- | ------------- |
workspace | . | Path to scan |
fail-on-findings | true | Fail the check if issues found |
scan-secrets | true | Enable secret scanning |
scan-injection | true | Enable injection scanning |
scan-egress | true | Enable egress scanning |
| Output | Description |
|---|---|
| -------- | ------------- |
findings-count | Total number of issues found |
has-critical | true if critical/high severity issues |
This action detects and alerts only. It will:
It will NOT:
For automated remediation, see OpenClaw Pro.
共 1 个版本