Questa mi ha fatto ridere: prompt injection tramite un issue GitHub preso in carico da un workflow GitHub Actions che esegue Claude senza limiti di permessi:
Cline’s (now removed) issue triage workflow ran on the issues event and configured the claude-code action with allowed_non_write_users: "*", meaning anyone with a GitHub account can trigger it simply by opening an issue. Combined with --allowedTools "Bash,Read,Write,Edit,Glob,Grep,WebFetch,WebSearch", this gave Claude arbitrary code execution within default-branch workflow.