The "claude-auto-fix-ci.yml" workflow has a few areas to tighten up for defense in depth:
- Branch name from
github.event.workflow_run.head_branch is passed verbatim into Claude's prompt, it should be sanitized/quoted before injection
- --allowedTools "Bash(*)" is overly broad, replace with a specific tool allowlist
- "SUPERMEMORY_API_KEY" in the MCP config has full org permissions; consider a scoped read-only key for CI use
Note: Overall risk is low because fork PRs require maintainer approval before the workflow runs (an "action_required" conclusion), so external contributors cannot trigger it automatically. These are hardening improvements for the case in which an internal contributor's branch name is maliciously crafted.
Suggested fixes:
- Sanitize branch name before passing to prompt: strip special characters
- Replace "Bash(*)" with specific commands the workflow actually needs
- Generate a scoped API key (read-only, specific containerTags) for CI
The "claude-auto-fix-ci.yml" workflow has a few areas to tighten up for defense in depth:
github.event.workflow_run.head_branchis passed verbatim into Claude's prompt, it should be sanitized/quoted before injectionNote: Overall risk is low because fork PRs require maintainer approval before the workflow runs (an "action_required" conclusion), so external contributors cannot trigger it automatically. These are hardening improvements for the case in which an internal contributor's branch name is maliciously crafted.
Suggested fixes: