Claude Code GitHub Action flaw let one malicious issue hijack repos via prompt injection and OIDC token theft - bot-trigger bypass
Researcher RyotaK has disclosed a now-patched flaw in Anthropic's Claude Code GitHub Action, which drops Claude into CI/CD to triage issues and review PRs with broad repo permissions. The action's trigger check waved through any actor whose name ended in [bot] - but anyone can register a GitHub App and use its token to open an issue on a public repo. Agent mode lacked the human-actor check tag mode had. The attacker then used indirect prompt injection in an issue to make Claude read /proc/self/environ and write back the OIDC credentials, which can be replayed for an installation token with write access. Anthropic's example workflow shipped with allowed_non_write_users: '*'.
- Check
- Audit repos using Claude Code GitHub Action: update to the patched version, and check workflows for allowed_non_write_users set to '*'. Review public run summaries for leaked secrets.
- Affected
- Repositories using vulnerable Claude Code GitHub Action versions, especially in agent mode or with allowed_non_write_users: '*' copied from Anthropic's example. Public repos are exposed to [bot]-triggered prompt-injection attacks.
- Fix
- Update the Claude Code action to the fixed release. Remove allowed_non_write_users: '*', restrict triggers to write-access humans, and rotate any OIDC-derived tokens. Avoid posting task output to public run summaries.