Skill Firewall Action skill-scan-v1.0.0

Skill Firewall Action — first stable release

The standalone, offline half of OpenTrApp's skill defense, packaged as a reusable GitHub Action. It scans agent skills and plugins for malware and prompt injection before an agent loads them, right in your CI. No model, no network. It runs the same engine OpenTrApp runs inside its five-container perimeter, so there is no separate fork to trust.

This release is verified end to end in real CI by the self-scan dogfood workflow (the only place a GitHub Action can actually be exercised).

Use it

permissions:
  contents: read
  security-events: write   # only to upload findings to the Security tab

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: albertdobmeyer/opentrapp/actions/skill-scan@skill-scan-v1
        with:
          path: ./skills      # a skill dir, a parent of several, or a single SKILL.md
          strict: false

Pin to @skill-scan-v1 to receive patches within major version 1, or to @skill-scan-v1.0.0 for an exact pin.

What it checks

• An 87 pattern blocklist mapped to MITRE ATT&CK, including 16 prompt injection patterns.
• A zero trust line classifier that quarantines a skill if a single line is unrecognised.
• SARIF output, so findings appear in your repository's Security tab.

The honesty boundary

This Action reads and pattern matches text. It does not execute the skill. Its guarantee is "vet a skill before an agent loads it," not "no untrusted content ever touches your runner." The stronger "untrusted content is only ever processed inside an isolated container" property belongs to the full OpenTrApp perimeter. See ADR-0025 and the Action README.

This is a subdirectory action in the OpenTrApp monorepo. It is fully usable via the uses: line above; it is not listed on the GitHub Marketplace, which requires a single action at a repository root.