cicd-bot-command-injection
OfficialSecure CI/CD from malicious bot commands.
Authorsecurityfortech
Version1.0.0
Installs0
System Documentation
What problem does it solve?
This Skill protects your CI/CD pipelines from unauthorized command execution triggered by malicious comments on issues or pull requests, preventing potential supply chain attacks and unauthorized deployments.
Core Features & Use Cases
- Vulnerability Identification: Detects CI/CD workflows vulnerable to command injection via
issue_commentorpull_request_review_commenttriggers. - Exploitation Guidance: Provides methods to identify and exploit vulnerabilities where commenter authorization is not verified.
- Use Case: A malicious actor could post a comment like
@bot deploy productionon an open pull request, triggering a deployment workflow with sensitive secrets if the workflow doesn't verify the actor's identity. This skill helps you find and fix such vulnerabilities.
Quick Start
Use the cicd-bot-command-injection skill to find workflows in .github/workflows/ that are triggered by issue comments and lack authorization checks.
Dependency Matrix
Required Modules
None requiredComponents
references
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: cicd-bot-command-injection Download link: https://github.com/securityfortech/hacking-skills/archive/main.zip#cicd-bot-command-injection Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 223,000+ vetted skills library on demand.