Agent-Skills.md

Agent Skills: Reusable Workflow Security

>-

UncategorizedID: adaptive-enforcement-lab/claude-skills/reusable-workflow-security

Repository

adaptive-enforcement-lab/claude-skills
adaptive-enforcement-labLicense: MIT

Install this agent skill to your local

pnpm dlx add-skill https://github.com/adaptive-enforcement-lab/claude-skills/tree/HEAD/plugins/secure/skills/reusable-workflow-security

Skill Files

Browse the full folder contents for reusable-workflow-security.

Download Skill

Loading file tree…

plugins/secure/skills/reusable-workflow-security/SKILL.md

Skill Metadata

Name
reusable-workflow-security
Description
>-

Reusable Workflow Security

When to Use This Skill

Reusable workflows centralize logic but inherit the caller's security context. Unvalidated inputs, unrestricted callers, or unpinned workflow references create privilege escalation vectors and supply chain risks.

The Risk

Reusable workflows execute with the caller's GITHUB_TOKEN permissions and secret access. An attacker who controls workflow inputs can inject commands, exfiltrate secrets, or escalate privileges. Unpinned workflow references allow supply chain attacks when upstream workflows are compromised.

Implementation

See the full implementation guide in the source documentation.

Techniques

Secret Inheritance Patterns

Reusable workflows can receive secrets explicitly or inherit all secrets. Always prefer explicit secret passing.

Dangerous: secrets: inherit

# Caller workflow
jobs:
  deploy:

*See [reference.md](reference.md) for additional techniques and detailed examples.*


## Examples

See [examples.md](examples.md) for code examples.


## Full Reference

See [reference.md](reference.md) for complete documentation.
## References

- [Source Documentation](https://adaptive-enforcement-lab.com/secure/github-actions-security/)
- [AEL Secure](https://adaptive-enforcement-lab.com/secure/)