Claude Code Action: a bot-actor trust flaw opened a supply-chain path
A researcher showed Claude Code GitHub Action trusted any actor ending in [bot], letting a self-registered GitHub App trigger agent-mode workflows on public repos and chain prompt injection to OIDC-token theft. Fixed in v1.0.94.
What is this?
On June 1, 2026, RyotaK of GMO Flatt Security published Poisoning Claude Code: One GitHub Issue to Break the Supply Chain, documenting a permission-model flaw in Claude Code GitHub Action — the workflow Anthropic ships to drop Claude into CI/CD for issue triage, labelling, code review, and slash commands. The core finding: the action’s write-access gate could be bypassed by any attacker who registered their own GitHub App, letting untrusted content reach a workflow designed to process only trusted input. Chained with indirect prompt injection, that bypass led to theft of the credentials used to mint a privileged repository token — and, because the action’s own repository ran a vulnerable workflow, a path to compromise every downstream project that depends on it.
RyotaK reported the bypass to Anthropic on January 12, 2026; Anthropic fixed it four days later and hardened further through the spring, shipping the fixes in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bug bounty. The write-up followed public disclosure, and the researcher notes that misconfiguration variants of the same pattern were already exploited in the wild before publication.
How it works
By default the workflow holds read and write access to a repository’s code, issues, pull requests, discussions, and workflow files. Because those permissions are broad, the action is meant to be selective about who can trigger it — only users with write access. That check lived in a checkWritePermissions function that returned true for any actor whose name ended in [bot], on the assumption that GitHub Apps are trusted things administrators install.
That assumption does not hold on public repositories. Anyone can register a GitHub App, install it on a repo they own, and use its installation token to open an issue or pull request on any public repository — GitHub grants Apps implicit access to public resources. The action saw an actor ending in [bot] and let the attacker-controlled content through. Tag mode carried an extra checkHumanActor verification; agent mode, at the time, did not.
From there the attacker relied on indirect prompt injection — instructions planted inside content the agent reads, so the model follows them instead of its task. In the documented proof-of-concept the injected text was framed so the agent would “recover” from an apparent read error by running embedded commands, reaching /proc/self/environ to pull the runner’s environment variables. The values that matter are the credential pair GitHub Actions uses to request an OIDC token; that token is exchanged for a Claude GitHub App installation token with write access. Steal the pair, replay the exchange, and you hold write access to the target’s code and workflows. Point it at the action’s own repository and the poison propagates downstream. No working payload is reproduced here; the interest is in the trust-boundary failure, and the researcher validated the chain only in his own test repositories.
A softer variant skipped the bot trick entirely: the shipped example issue-triage workflow set allowed_non_write_users: "*", and the agent posted task summaries to the workflow run’s publicly visible summary panel — a ready-made exfiltration channel that many copy-paste deployments inherited.
Why it matters
This is the agentic-CI/CD threat model made concrete. A workflow that (1) ingests untrusted GitHub content, (2) holds secrets and tokens, and (3) can act through tools is exactly the dangerous combination the lethal trifecta and Agents Rule of Two warn about — and here all three sat inside one action. The bypass turned a “trusted input only” design into an “any internet user” surface, and the blast radius was not one repo but the entire dependency graph beneath a widely used action, including the maintainer’s own. It sits alongside the Comment and Control pattern, where PR titles and issue bodies leaked GitHub Actions secrets across three vendors, and a separate Read-tool environment leak that reached the same /proc/self/environ file by a different route. The lesson repeats: identity checks based on string patterns are not authorization, and prompt injection remains unsolved wherever an agent with real tokens reads attacker-controlled text.
Defenses
- Update to claude-code-action v1.0.94 or later. The fix adds a human-actor check to agent mode, disables the run-summary channel by default, wraps
ghto block exfiltration-shaped arguments, and scrubs environment variables from child processes. - Audit every workflow that lets non-write users — or bots — trigger the agent. If it takes untrusted input, expose no secret beyond the minimum, and remove tools or permissions capable of exfiltration (
WebFetch, arbitraryBash,git push, evengh issue viewwith a URL argument). - Apply the Rule of Two. Never let one workflow simultaneously read untrusted input, hold sensitive credentials, and act externally. Drop one leg — pin the task, strip the secret, or gate the write behind a human.
- Treat actor identity as data, not authorization. A
[bot]suffix, an author name, or a “verified” badge is spoofable context; enforce real permission and provenance checks server-side. - Adopt isolation-first CI/CD agent architectures. See our coverage of GitHub Agentic Workflows’ security design — zero-secret agents, workflow firewalls, and staged-and-vetted writes — as the structural answer rather than prompt-level patches.
Status
| Item | Detail |
|---|---|
| Disclosed by | RyotaK, GMO Flatt Security |
| Reported / first fix | 2026-01-12 / 2026-01-16 (four-day turnaround) |
| Published | 2026-06-01 |
| Affected component | claude-code-action (agent mode + example issue-triage workflow) |
| Fixed in | claude-code-action v1.0.94 |
| Severity | CVSS v4.0 7.8 (High), per Anthropic |
| Exploited variants | Cline triage workflow (npm token theft, Feb 2026); no public sign the action-poisoning path hit a live target |
This is a disclosed and patched vulnerability class in a CI/CD integration. Component names and figures are as reported by the cited GMO Flatt Security write-up, The Hacker News, and Anthropic’s fix commit.