Audit a GitHub organization's members and their access levels, flagging overprivileged users and stale collaborators with last-active dates.
Walks a GitHub organization, lists every member and outside collaborator, and joins the data with each user's last public activity. Flags overprivileged users (admin role with no recent activity) and stale collaborators.
org: the GitHub organization slug.GITHUB_TOKEN env var with read:org and repo scopes.stale_days: defaults to 90.skip_users: regex or list of usernames to exclude (bots, system accounts).gh api orgs/<org>/members --paginate --jq '.[].login'.gh api orgs/<org>/members --paginate --jq '.[] | select(.role=="admin") | .login' via the ?role=admin query.gh api repos/<org>/<repo>/collaborators?affiliation=outside.gh api users/<login>) and capture created_at, updated_at.gh api users/<login>/events?per_page=1 returns the most recent public event with created_at. Compare to today.gh api orgs/<org>/teams/<team>/members. Owners-of-everything is the worst pattern.stale_days -> overprivileged-stale (high).stale_days -> stale-collaborator (medium).repo-admin (low).org-permission-audit.csv (one row per user-role combination) and org-permission-audit.md (top findings, charts of role distribution, action checklist). Exit 1 if any overprivileged-stale entry exists.
Pick three flagged users and verify by visiting their profile and checking the "Last activity" indicator in the org's people page. For each suggested removal, confirm the user is not the sole owner of any active repo. After remediation, rerun the audit and confirm the user list shrinks as expected.
events API may show empty even if active; treat with lower confidence and flag for manual review.bot suffix or naming convention; exclude via skip_users.suspended tag rather than as overprivileged.Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/github-org-permission-auditor.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Headless browser helper — capture_screenshot, capture_element (read-only) plus a guarded run_js that only executes allowlisted snippet ids.
Read-only RubyGems helper — search_gems, get_gem_info, list_versions. Surface for Ruby dependency discovery from an agent.
Read-only crates.io helper — search_crates, get_crate_info, list_versions. Surface for Rust dependency discovery from an agent.
Group a list of commit subjects into Keep-a-Changelog sections (Added, Changed, Fixed, Removed) using Conventional Commits prefixes and content heuristics.
Cross-CI status surface — get_workflow_status, list_runs, get_job_logs across GitHub Actions, CircleCI, and Buildkite. Read-only.