Security: amber-auto-review.yml workflow is vulnerable to prompt injection from fork PRs

[varunsh-coder]

Summary

Your amber-auto-review.yml workflow is configured in a way that allows any GitHub user to trigger an AI code review with write permissions on untrusted fork code. This was recently exploited by the hackerbot-claw bot (PRs #732 and #733), which attempted prompt injection via a poisoned CLAUDE.md. Claude detected and refused the attack — but the underlying workflow configuration that enabled the attack vector is still in place.

A fix was applied on March 1 (commit ed18288) but was reverted 24 minutes later in the belief that the replacement was accidental. The revert restored the vulnerable configuration.

Vulnerable Configuration

The workflow at .github/workflows/amber-auto-review.yml has four issues that combine to create the attack surface:

1. pull_request_target trigger — Runs with the base repository's secrets and permissions, even for fork PRs. The official claude-code-action documentation uses pull_request (not pull_request_target) in every example.

2. Fork code checkout — The workflow checks out github.event.pull_request.head.repo.full_name at github.event.pull_request.head.ref, which means it loads the attacker's code — including any modified CLAUDE.md — as trusted context.

3. allowed_non_write_users: '*' — Allows any GitHub user to trigger the workflow. The claude-code-action security documentation explicitly warns this is "a significant security risk."

4. contents: write permissions — Grants the workflow token write access to repository contents. The official docs recommend contents: read.

What Happened

On February 28, 2026, hackerbot-claw opened PRs #732 and #733, replacing CLAUDE.md with social engineering instructions designed to manipulate Claude into committing unauthorized changes. The workflow ran, checked out the fork's code, and loaded the poisoned CLAUDE.md as trusted project context.

Claude (running claude-sonnet-4-6) detected both prompt injection attempts and refused to comply. The tool allowlisting (--allowedTools restricting Claude to read-only gh commands) provided an additional layer of defense.

Recommended Fixes

Option A (simplest): Switch from pull_request_target to pull_request. Fork PRs won't have access to secrets, but this is the safest pattern.

Option B (if you need fork PR reviews):

• Remove allowed_non_write_users: '*' or restrict it to specific trusted users
• Change permissions to contents: read
• Do not check out fork code — or if you must, do not load CLAUDE.md or other config files from the fork
• Add CLAUDE.md to CODEOWNERS with mandatory maintainer approval

In either case: Re-apply the fix from commit ed18288 (or an equivalent) as a starting point, then iterate from there.

We have published a blog post covering the hackerbot-claw campaign, which targeted multiple repositories including this one.

[ktdreyer]

Thank you.

#763 switches from pull_request_target to pull_request. We'll evaluate how we can gradually open this up over time.