{"schema_version":1,"workflow_uuid":"6f58c192-3c0d-11f1-9bc6-00163e2b0d79","workflow_title":"OpenSSF Scorecard — Security Health Metrics for Open Source","page_url":"https://tokrepo.com/en/workflows/openssf-scorecard-security-health-metrics-open-source-6f58c192","raw_url":"https://tokrepo.com/raw/openssf-scorecard-security-health-metrics-open-source-6f58c192","metadata_url":"https://tokrepo.com/metadata/openssf-scorecard-security-health-metrics-open-source-6f58c192.json","install_plan_url":"https://api.tokrepo.com/api/v1/tokenboard/workflows/install-plan?uuid=6f58c192-3c0d-11f1-9bc6-00163e2b0d79&target=codex","recommended_install":{"schema_version":1,"status":"stage","policy":"stage_only","install_mode":"stage_only","target":"codex","command":"npx -y tokrepo@latest install 6f58c192-3c0d-11f1-9bc6-00163e2b0d79 --target codex","dry_run_command":"npx -y tokrepo@latest install 6f58c192-3c0d-11f1-9bc6-00163e2b0d79 --target codex --dry-run --json","runtime_commands":{"codex":"npx -y tokrepo@latest install 6f58c192-3c0d-11f1-9bc6-00163e2b0d79 --target codex","gemini":"npx -y tokrepo@latest install 6f58c192-3c0d-11f1-9bc6-00163e2b0d79 --target gemini","project":"npx -y tokrepo@latest install 6f58c192-3c0d-11f1-9bc6-00163e2b0d79"},"prompt":"Install and make this TokRepo asset usable: \"OpenSSF Scorecard — Security Health Metrics for Open Source\".\n\nPage: https://tokrepo.com/en/workflows/openssf-scorecard-security-health-metrics-open-source-6f58c192\nUUID: 6f58c192-3c0d-11f1-9bc6-00163e2b0d79\nTarget adapter: codex\nPolicy/mode: stage_only / stage_only\n\nRead these machine-facing entry points first:\n- metadata: https://tokrepo.com/metadata/openssf-scorecard-security-health-metrics-open-source-6f58c192.json\n- install contract: https://tokrepo.com/install-contract/openssf-scorecard-security-health-metrics-open-source-6f58c192.json\n- install plan: https://api.tokrepo.com/api/v1/tokenboard/workflows/install-plan?uuid=6f58c192-3c0d-11f1-9bc6-00163e2b0d79&target=codex\n- raw content: https://tokrepo.com/raw/openssf-scorecard-security-health-metrics-open-source-6f58c192\n\nCommands:\n- choose the current runtime; do not use unsupported CLI targets.\n- Codex: npx -y tokrepo@latest install 6f58c192-3c0d-11f1-9bc6-00163e2b0d79 --target codex\n- Gemini CLI: npx -y tokrepo@latest install 6f58c192-3c0d-11f1-9bc6-00163e2b0d79 --target gemini\n- Claude Code / project agent: run npx -y tokrepo@latest install 6f58c192-3c0d-11f1-9bc6-00163e2b0d79 from the project root; add `--dry-run --json` first to inspect the plan.\n- add `--dry-run --json` to the chosen command first; after the plan allows it, run the chosen command.\n\nExecution rules:\n1. Run the install command to stage the asset safely.\n2. Read the staged README, install-plan, and entrypoint files.\n3. Activate scripts, MCP config, or global config only after user confirmation.\n4. Verify usability with the install-plan post_verify checks and the asset README.\n\nReport back with changed files, verification result, and how to use the asset next.","next_steps":["Run the install command to stage the asset safely.","Read the staged README, install-plan, and entrypoint files.","Activate scripts, MCP config, or global config only after user confirmation.","Verify usability with the install-plan post_verify checks and the asset README."],"success_check":["The asset is safely staged.","The agent can give clear activation steps from the staged content."]},"agent_metadata":{"asset_kind":"skill","target_tools":["claude_code","codex","gemini_cli"],"install_mode":"stage_only","entrypoint":"Scorecard Overview","risk_profile":{"executes_code":false,"modifies_global_config":false,"requires_secrets":["GITHUB_AUTH_TOKEN"],"uses_absolute_paths":false,"network_access":false},"dependencies":{"npm":[],"pip":[],"brew":[],"system":[]},"content_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","verification":{"commands":[],"expected_files":["Scorecard Overview"]}},"agent_fit":{"target":"codex","score":29,"status":"stage_only","policy":"stage_only","why":["target_tools includes codex","asset_kind skill","install_mode stage_only","policy stage_only","install_mode is stage_only","risk_profile.requires_secrets is not empty","trust established"],"asset_kind":"skill","install_mode":"stage_only"},"trust":{"author_trust_level":"established","verified_publisher":false,"asset_signed_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","signature_status":"hash_only","install_count":0,"report_count":0,"dangerous_capability_badges":["requires_secrets","stage_only"],"review_status":"unreviewed","signals":["asset has usage views","author has published assets","content hash available"]},"provenance":{"owner_uuid":"8a910e34-3180-11f1-9bc6-00163e2b0d79","owner_name":"Script Depot","source_url":"https://tokrepo.com/en/workflows/openssf-scorecard-security-health-metrics-open-source-6f58c192","content_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","visibility":1,"created_at":"2026-04-20 00:33:02","updated_at":"2026-06-13 15:40:46"},"target_adapter":{"target":"codex","adapter":"skill-directory","root":"~/.codex/skills","entrypoint":"SKILL.md","manifest_path":"~/.codex/tokrepo/install-manifest.json","staging_root":"~/.codex/tokrepo/staged/6f58c192-3c0d-11f1-9bc6-00163e2b0d79","install_modes":["single","bundle","split","stage_only"],"activates_files":true},"install_plan":{"schema_version":2,"target":"codex","asset_uuid":"6f58c192-3c0d-11f1-9bc6-00163e2b0d79","asset_title":"OpenSSF Scorecard — Security Health Metrics for Open Source","source_url":"https://tokrepo.com/en/workflows/openssf-scorecard-security-health-metrics-open-source-6f58c192","install_mode":"stage_only","entrypoint":"Scorecard Overview","preconditions":[{"type":"target_supported","status":"pass","message":"codex install target is supported"},{"type":"install_root","status":"pass","message":"~/.codex/skills for activated assets; ~/.codex/tokrepo/staged/6f58c192-3c0d-11f1-9bc6-00163e2b0d79 for staged assets"},{"type":"target_tool_metadata","status":"pass","message":"metadata allows codex"},{"type":"content_hash","status":"pass","message":"asset metadata includes content_hash"},{"type":"trust_policy","status":"pass","message":"publisher trust level is established"},{"type":"policy_decision","status":"warn","message":"stage_only for 6f58c192-3c0d-11f1-9bc6-00163e2b0d79 (stage_only)"}],"actions":[{"type":"stage_file","path":"~/.codex/tokrepo/staged/6f58c192-3c0d-11f1-9bc6-00163e2b0d79/Scorecard Overview.md","source_name":"Scorecard Overview","sha256":"8f46a86189db1d13612143f93f6603d6dab2f77e98ba6926c49a876ee3534e3c","bytes":3459,"risk":{"executes_code":false,"modifies_global_config":false,"requires_secrets":["GITHUB_AUTH_TOKEN"],"uses_absolute_paths":false,"network_access":false},"if_exists":"overwrite"}],"policy_decision":{"decision":"stage_only","requires_confirmation":false,"reasons":["install_mode is stage_only","risk_profile.requires_secrets is not empty"]},"requires_confirmation":false,"rollback":[{"type":"remove_file","path":"~/.codex/tokrepo/staged/6f58c192-3c0d-11f1-9bc6-00163e2b0d79/Scorecard Overview.md"}],"post_verify":[{"type":"file_sha256","path":"~/.codex/tokrepo/staged/6f58c192-3c0d-11f1-9bc6-00163e2b0d79/Scorecard Overview.md","sha256":"8f46a86189db1d13612143f93f6603d6dab2f77e98ba6926c49a876ee3534e3c"},{"type":"expected_file","path":"Scorecard Overview.md"}],"metadata":{"asset_kind":"skill","target_tools":["claude_code","codex","gemini_cli"],"install_mode":"stage_only","entrypoint":"Scorecard Overview","risk_profile":{"executes_code":false,"modifies_global_config":false,"requires_secrets":["GITHUB_AUTH_TOKEN"],"uses_absolute_paths":false,"network_access":false},"dependencies":{"npm":[],"pip":[],"brew":[],"system":[]},"content_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","verification":{"commands":[],"expected_files":["Scorecard Overview"]}},"agent_fit":{"target":"codex","score":29,"status":"stage_only","policy":"stage_only","why":["target_tools includes codex","asset_kind skill","install_mode stage_only","policy stage_only","install_mode is stage_only","risk_profile.requires_secrets is not empty","trust established"],"asset_kind":"skill","install_mode":"stage_only"},"trust":{"author_trust_level":"established","verified_publisher":false,"asset_signed_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","signature_status":"hash_only","install_count":0,"report_count":0,"dangerous_capability_badges":["requires_secrets","stage_only"],"review_status":"unreviewed","signals":["asset has usage views","author has published assets","content hash available"]},"provenance":{"owner_uuid":"8a910e34-3180-11f1-9bc6-00163e2b0d79","owner_name":"Script Depot","source_url":"https://tokrepo.com/en/workflows/openssf-scorecard-security-health-metrics-open-source-6f58c192","content_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","visibility":1,"created_at":"2026-04-20 00:33:02","updated_at":"2026-06-13 15:40:46"},"target_adapter":{"target":"codex","adapter":"skill-directory","root":"~/.codex/skills","entrypoint":"SKILL.md","manifest_path":"~/.codex/tokrepo/install-manifest.json","staging_root":"~/.codex/tokrepo/staged/6f58c192-3c0d-11f1-9bc6-00163e2b0d79","install_modes":["single","bundle","split","stage_only"],"activates_files":true},"evidence_bundle":{"acceptance_gate":{"recommended_action":"stage_or_request_confirmation","rule":"Agents should only activate an asset after evidence_bundle.integrity, policy_compatibility, rollback, and post_verify have been inspected.","status":"caution"},"asset_title":"OpenSSF Scorecard — Security Health Metrics for Open Source","asset_uuid":"6f58c192-3c0d-11f1-9bc6-00163e2b0d79","eval_evidence":["https://tokrepo.com/evals/install-safety.json","https://tokrepo.com/evals/trust-evidence-coverage.json","https://tokrepo.com/evals/handoff-quality.json"],"generated_at":"2026-06-13T07:40:47Z","integrity":{"content_hash":"8b1f6f945e8846bbb740bf100da5c3a3be588897b454ad06a290cf5058b821da","declared_content_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","file_count":1,"hash_algorithm":"sha256","install_plan_hash":"ae2102077664a963f232b8107fab740e9fa85871d1f8e5ad63a7a6b4d7156701"},"policy_compatibility":{"permission_envelope":{"destructive":false,"executes_code":false,"file_count":1,"filesystem_write":["~/.codex/tokrepo/staged"],"global_config_write":false,"network":false,"requires_secrets":["GITHUB_AUTH_TOKEN"],"uses_absolute_paths":false},"policy_decision":{"decision":"stage_only","requires_confirmation":false,"reasons":["install_mode is stage_only","risk_profile.requires_secrets is not empty"]},"requires_confirmation":false,"target":"codex","trust_score_v2":{"recommended_action":"stage_or_request_confirmation","status":"caution","trust_score":60}},"provenance":{"asset_kind":"skill","asset_title":"OpenSSF Scorecard — Security Health Metrics for Open Source","asset_uuid":"6f58c192-3c0d-11f1-9bc6-00163e2b0d79","computed_bundle_hash":"8b1f6f945e8846bbb740bf100da5c3a3be588897b454ad06a290cf5058b821da","content_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","created_at":"2026-04-20 00:33:02","generated_at":"2026-06-13T07:40:47Z","install_plan_hash":"ae2102077664a963f232b8107fab740e9fa85871d1f8e5ad63a7a6b4d7156701","owner_name":"Script Depot","owner_uuid":"8a910e34-3180-11f1-9bc6-00163e2b0d79","parent_uuid":"","schema_version":2,"source":"tokrepo_asset","source_url":"https://tokrepo.com/en/workflows/openssf-scorecard-security-health-metrics-open-source-6f58c192","updated_at":"2026-06-13 15:40:46","visibility":1},"sbom":{"asset_kind":"skill","asset_title":"OpenSSF Scorecard — Security Health Metrics for Open Source","asset_uuid":"6f58c192-3c0d-11f1-9bc6-00163e2b0d79","capability_flags":{"destructive":false,"executes_code":false,"modifies_global_config":false,"network_access":false,"requires_secrets":["GITHUB_AUTH_TOKEN"]},"content_hash":"8b1f6f945e8846bbb740bf100da5c3a3be588897b454ad06a290cf5058b821da","dependencies":{"brew":[],"mcp":[],"npm":[],"pip":[],"system":[]},"files":[{"bytes":3459,"path":"~/.codex/tokrepo/staged/6f58c192-3c0d-11f1-9bc6-00163e2b0d79/Scorecard Overview.md","role":"supporting_file","sha256":"8f46a86189db1d13612143f93f6603d6dab2f77e98ba6926c49a876ee3534e3c","source_name":"Scorecard Overview"}],"format":"SBOM-lite","install_mode":"stage_only","schema_version":1,"target":"codex"},"schema":"https://tokrepo.com/schemas/agent-evidence-bundle.schema.json","schema_version":1,"schemas":{"asset_verification":"https://tokrepo.com/schemas/asset-verification.schema.json","evidence_bundle":"https://tokrepo.com/schemas/agent-evidence-bundle.schema.json","install_plan":"https://tokrepo.com/schemas/install-plan.schema.json","provenance":"https://tokrepo.com/schemas/provenance.schema.json","sbom":"https://tokrepo.com/schemas/agent-evidence-bundle.schema.json#/properties/sbom"},"signature_evidence":{"content_hash":"8b1f6f945e8846bbb740bf100da5c3a3be588897b454ad06a290cf5058b821da","hash_algorithm":"sha256","install_plan_hash":"ae2102077664a963f232b8107fab740e9fa85871d1f8e5ad63a7a6b4d7156701","schema_version":1,"signed_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","status":"hash_only","verification_notes":["hash_only evidence proves content integrity but not publisher identity unless an external signature verifies it"]},"source_url":"https://tokrepo.com/en/workflows/openssf-scorecard-security-health-metrics-open-source-6f58c192","target":"codex"},"sbom":{"asset_kind":"skill","asset_title":"OpenSSF Scorecard — Security Health Metrics for Open Source","asset_uuid":"6f58c192-3c0d-11f1-9bc6-00163e2b0d79","capability_flags":{"destructive":false,"executes_code":false,"modifies_global_config":false,"network_access":false,"requires_secrets":["GITHUB_AUTH_TOKEN"]},"content_hash":"8b1f6f945e8846bbb740bf100da5c3a3be588897b454ad06a290cf5058b821da","dependencies":{"brew":[],"mcp":[],"npm":[],"pip":[],"system":[]},"files":[{"bytes":3459,"path":"~/.codex/tokrepo/staged/6f58c192-3c0d-11f1-9bc6-00163e2b0d79/Scorecard Overview.md","role":"supporting_file","sha256":"8f46a86189db1d13612143f93f6603d6dab2f77e98ba6926c49a876ee3534e3c","source_name":"Scorecard Overview"}],"format":"SBOM-lite","install_mode":"stage_only","schema_version":1,"target":"codex"},"signature_evidence":{"content_hash":"8b1f6f945e8846bbb740bf100da5c3a3be588897b454ad06a290cf5058b821da","hash_algorithm":"sha256","install_plan_hash":"ae2102077664a963f232b8107fab740e9fa85871d1f8e5ad63a7a6b4d7156701","schema_version":1,"signed_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","status":"hash_only","verification_notes":["hash_only evidence proves content integrity but not publisher identity unless an external signature verifies it"]},"provenance_v2":{"asset_kind":"skill","asset_title":"OpenSSF Scorecard — Security Health Metrics for Open Source","asset_uuid":"6f58c192-3c0d-11f1-9bc6-00163e2b0d79","computed_bundle_hash":"8b1f6f945e8846bbb740bf100da5c3a3be588897b454ad06a290cf5058b821da","content_hash":"1e7e7d73ef5c7cc1a7602df9794148d7b8c84c55bd378b09e6d9986ed85fa743","created_at":"2026-04-20 00:33:02","generated_at":"2026-06-13T07:40:47Z","install_plan_hash":"ae2102077664a963f232b8107fab740e9fa85871d1f8e5ad63a7a6b4d7156701","owner_name":"Script Depot","owner_uuid":"8a910e34-3180-11f1-9bc6-00163e2b0d79","parent_uuid":"","schema_version":2,"source":"tokrepo_asset","source_url":"https://tokrepo.com/en/workflows/openssf-scorecard-security-health-metrics-open-source-6f58c192","updated_at":"2026-06-13 15:40:46","visibility":1},"transitive_dependencies":null}}