A security researcher uncovered a weakness in Anthropic’s Claude Code GitHub Action that could allow an attacker to hijack vulnerable public repositories using it—all it takes is opening a single GitHub issue. Since Anthropic’s own action repository ran the same workflow, a successful exploit could have injected malicious code into the action itself and spread it to every downstream project that depends on it.
RyotaK from GMO Flatt Security disclosed the main bypass to Anthropic in January. Anthropic patched it within four days and continued strengthening defenses through the spring; the fixes are included in claude-code-action v1.0.94. Anthropic assigned the vulnerability a CVSS v4.0 score of 7.8 and awarded a bug bounty.
Claude Code GitHub Actions integrates Claude into CI/CD pipelines to handle tasks like sorting issues, applying labels, reviewing pull requests, or executing slash commands. By default, the workflow is granted read and write access to a repository’s code, issues, pull requests, discussions, and workflow files. Given how extensive those permissions are, the action is designed to be selective about who can invoke it—only users with write access should be able to.
But the trigger check had a gap. It automatically approved any actor whose username ended in [bot], operating on the assumption that GitHub Apps are trusted tools installed by administrators. The problem is that anyone can create a GitHub App, install it on a repository they control, and then use its token to open an issue or pull request on any public repository. The action saw “a bot” and let the attacker’s content pass through. Tag mode included an additional verification step to confirm the actor was an actual human; agent mode lacked this check, leaving it exposed.
Once inside, the attacker relies on indirect prompt injection—the technique of embedding hidden instructions within content that an AI processes, causing the model to follow those instructions instead of its intended task. RyotaK crafted an issue whose body resembled an error message, then fine-tuned the prompt until Claude would “recover” by executing the commands hidden inside it. The target was /proc/self/environ, the Linux file containing a process’s environment variables, including secrets. Claude Code blocks straightforward reads of this file, but RyotaK found a way around the safeguard and got Claude to output the values back into the issue, where the attacker could collect them.
The most valuable items in those variables are the credential pair GitHub Actions uses to request an OIDC token—a signed token that verifies “I’m this workflow running in this repository.” Claude Code exchanges that token with Anthropic’s backend for a Claude GitHub App installation token with write access. Steal those credentials, replay the exchange, and you gain write access to the target’s code, issues, and workflows. Point this at the claude-code-action repository itself, and you could corrupt the action that downstream projects depend on.
RyotaK also identified a simpler approach that bypassed the bot trick altogether. Anthropic’s own example issue-triage workflow shipped with allowed_non_write_users: “*”, which permits anyone to trigger it—a setting that Anthropic’s documentation already warns is risky. On top of that, Claude was posting task summaries to the workflow run’s publicly visible summary panel, creating an easy channel for data leakage. Many repositories copied that example configuration and inherited the vulnerability.
There’s also a method for an attacker who can edit issues but can’t trigger Claude independently: modify a trusted user’s issue after it has already triggered the workflow but before Claude reads it, and the malicious payload enters as “trusted” input.
What should you do? Upgrade to claude-code-action v1.0.94 or a newer version. Then review any workflow that allows users without write access—or bots—to trigger Claude: if it processes untrusted input, don’t expose any secrets beyond the Anthropic API key and GITHUB_TOKEN, and strip out tools and permissions that could be leveraged for data exfiltration.
These aren’t hypothetical scenarios. The same combination—an AI issue triager with broad permissions combined with prompt injection—has already led to a real supply-chain attack:
- In February, a prompt-injected issue title targeting Cline’s claude-code-action triage workflow enabled attackers to steal an npm publish token and push an unauthorized cline@2.3.0 release. The tampered version only force-installed a separate, non-malicious AI agent and was removed roughly eight hours later, but the same attack chain could just as easily have delivered genuine malware to everyone who updated.
- The autonomous “HackerBot-Claw” bot then spent late February scanning GitHub Actions misconfigurations at Microsoft, Datadog, CNCF projects, and others. When it attempted to prompt-inject a Claude-based reviewer through a poisoned config file, Claude detected it and refused to comply.
There’s no public evidence that this specific attack path—the one targeting Anthropic’s own action—was ever used against a real target. RyotaK demonstrated it only in his own test repositories, and he’s careful to distinguish that from the variants above that were actually exploited.
RyotaK says he has now reported approximately 50 distinct methods for bypassing Claude Code’s permission system and executing commands, part of an ongoing series of prompt-injection vulnerabilities in AI coding agents. Prompt injection remains an unsolved problem, and an agent equipped with real tools and real tokens can be manipulated to operate at the full extent of its granted permissions.
