Skill Detail

Audit GitHub Actions for privilege and supply-chain risks with zizmor

Run a focused security pass on GitHub Actions workflows before merge so token misuse, dangerous permissions, and unpinned actions are caught early.

Security & VerificationMulti-Framework

Security & Verification Multi-Framework Security Reviewed

Tool match: zizmor ⭐ 4.2k GitHub stars MIT license

INSTALL WITH ANY AGENT

npx skills add agentskillexchange/skills --skill audit-github-actions-for-privilege-and-supply-chain-risks-with-zizmor Copy

Works best when you want a reusable capability, not another fragile one-off prompt.

View source Documentation

At a glance

Tools required

Python 3.9+ or prebuilt zizmor binary, access to the target repository

Install & setup

Install from the project documentation, then run `zizmor` against the repository or workflow files you want to review before merge or release.

Author

zizmorcore

Publisher

Organization

Last updated

Apr 15, 2026

Quick brief

Use zizmor when an agent is reviewing GitHub Actions changes and needs a security-first gate before those workflows land. The agent can scan workflow files, flag risky permission scopes, catch untrusted input paths, and surface supply-chain issues such as unsafe action pinning. The boundary is narrow and clear: pre-merge GitHub Actions security review, not a generic CI platform listing or all-purpose GitHub automation card.

Best fit

When to reach for it

Best when the job fits Security & Verification.
Works naturally with Multi-Framework setups.
Requires Python 3.9+ or prebuilt zizmor binary, access to the target….
Installation is straightforward: Install from the project documentation, then run `zizmor` against the repository or workflow files you want…

Trust & provenance

Why this listing is credible

Built around the zizmor toolchain.
Trust status: Security Reviewed.
4.2k GitHub stars on the linked upstream source.
License: MIT.
Last updated Apr 15, 2026.

View source ↗ Documentation ↗