Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/claude-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ jobs:
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
github_token: ${{ secrets.GITHUB_TOKEN }}
allowed_non_write_users: "*"

Copilot AI Feb 21, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting allowed_non_write_users to "*" allows anyone (including external contributors without write access) to trigger Claude code reviews by mentioning @claude in comments. This could enable malicious actors to:

  1. Trigger expensive Claude API calls, leading to cost abuse
  2. Potentially extract sensitive information from the codebase through carefully crafted prompts
  3. Use the workflow as a resource exhaustion vector

If this is intentional for an open-source project, consider adding rate limiting or restricting this to specific users/organizations instead of a wildcard. If not intentional, remove this line to use the default behavior which typically restricts triggering to users with write access.

Suggested change
allowed_non_write_users: "*"

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Remove wildcard non-writer allowlist for review trigger

Setting allowed_non_write_users: "*" in this pull_request_target review job opens invocation to all non-write users, including external contributors, while the run uses a write-scoped GITHUB_TOKEN and a paid Anthropic API key. This introduces an abuse path (cost amplification and write-capable automation by untrusted actors) that did not exist with a constrained allowlist, so the list should be explicit and limited to trusted users.

Useful? React with 👍 / 👎.


# Enable progress tracking and show full Claude output in logs
track_progress: true
Expand Down Expand Up @@ -148,4 +149,4 @@ jobs:

# Restrict tools that Claude can use during the review
claude_args: |
--allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"
--allowedTools "mcp__github__,mcp__github_inline_comment__,Bash(gh)"

Copilot AI Feb 21, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The allowedTools parameter has been broadened from specific commands to wildcard patterns. The previous configuration explicitly restricted Claude to only:

  • create_inline_comment for GitHub
  • gh pr comment, gh pr diff, gh pr view for Bash

The new configuration allows:

  • ALL mcp__github__ tools (not just inline comments)
  • ALL mcp__github_inline_comment__ operations
  • ALL gh commands (not just pr-related ones)

This significantly expands Claude's capabilities and could allow unintended actions like creating/deleting branches, merging PRs, modifying workflow files, or running arbitrary gh commands. The original restrictive approach was more secure. Unless there's a specific need for these additional capabilities, revert to the explicit whitelist or carefully enumerate only the required tools.

Suggested change
--allowedTools "mcp__github__,mcp__github_inline_comment__,Bash(gh)"
--allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh(pr comment,pr diff,pr view))"

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restrict Claude Bash access to specific gh subcommands

In the workflow section I inspected (.github/workflows/claude-review.yml), changing --allowedTools to Bash(gh) grants Claude access to run any GitHub CLI command, while this job’s token still has pull-requests: write, issues: write, and actions: write. That materially expands the blast radius from “review/comment” into repository mutation if the model is steered by untrusted PR content or prompt injection; the allowlist should stay scoped to the minimal gh subcommands required for review.

Useful? React with 👍 / 👎.