Security Audit
github-actions-templates
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
github-actions-templates received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unpinned GitHub Action version used.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned GitHub Action version used The workflow template uses a GitHub Action (`aquasecurity/trivy-action`) pinned to the mutable `master` branch instead of a specific version tag or commit hash. This poses a supply chain risk as changes to the `master` branch could introduce vulnerabilities or malicious code without warning. The skill's own best practices recommend using specific action versions. Pin the GitHub Action to a specific version tag (e.g., `@v0.20.0`) or a full commit SHA to ensure deterministic and secure execution. | LLM | SKILL.md:198 | |
| HIGH | Unpinned GitHub Action version used The workflow template uses a GitHub Action (`snyk/actions/node`) pinned to the mutable `master` branch instead of a specific version tag or commit hash. This poses a supply chain risk as changes to the `master` branch could introduce vulnerabilities or malicious code without warning. The skill's own best practices recommend using specific action versions. Pin the GitHub Action to a specific version tag (e.g., `@v1.2.3`) or a full commit SHA to ensure deterministic and secure execution. | LLM | SKILL.md:211 |
Scan History
Embed Code
[](https://skillshield.io/report/9966cf77eacd1bcb)
Powered by SkillShield