Summary
Claude-backed gh-aw workflows install @anthropic-ai/claude-code@latest on the bare host runner before the AWF firewall container is initialised. npm lifecycle scripts (preinstall/postinstall) therefore execute with unrestricted network access and with ANTHROPIC_API_KEY, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, and GITHUB_TOKEN all present in the process environment. A supply-chain compromise of the @latest tag (account takeover, dependency confusion, or malicious patch) would allow credential exfiltration before any sandbox or firewall control exists. Separately, inside the AWF sandbox the agent runs with registry.npmjs.org in the network allowlist and GITHUB_TOKEN absent from --exclude-env, meaning a postinstall script from an agent-installed package can reach api.github.com with live credentials. Version pinning is already documented as a supported capability (engine: version: "2.1.70") but is not the default.
Affected Area
Claude engine — pre-sandbox host-runner install step (trust boundary: host runner before AWF sandbox initialisation); AWF agent sandbox network and environment boundary.
Reproduction Outline
- Inspect any compiled Claude-backed
.lock.yml (e.g. pentest-blogs-clinejection-ai-installs-ai.lock.yml): the npm install -g @anthropic-ai/claude-code@latest step precedes Install AWF binary, Download container images, and Start MCP Gateway.
- Confirm that
ANTHROPIC_API_KEY, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, and GITHUB_TOKEN are declared in the same job environment and thus available to any npm lifecycle script during the install.
- For Stage 2: trigger a Claude workflow (e.g. via issue command) on a repo with
Bash tool and registry.npmjs.org in the sandbox allowlist; a postinstall script in an agent-installed package can read GITHUB_TOKEN and reach api.github.com.
Observed Behavior
npm install -g @anthropic-ai/claude-code@latest runs outside the AWF sandbox with full host credentials in scope. Inside the sandbox, GITHUB_TOKEN is not excluded from the agent environment while registry.npmjs.org and api.github.com are in the network allowlist.
Expected Behavior
- The Claude CLI should be installed from a pinned, integrity-verified version matching the
engine: version: frontmatter capability, or from a pre-baked container image, so that no lifecycle script runs with access to host-level secrets.
- Inside the sandbox,
GITHUB_TOKEN should be in --exclude-env and repository access should pass only through the GitHub MCP server. registry.npmjs.org should be absent from the allowlist unless the workflow task explicitly requires npm operations.
Security Relevance
Stage 1 (pre-sandbox unpinned install) is a dangerous default that creates a concrete credential-exfiltration window independent of model behaviour; it affects all 24+ compiled Claude-backed lock files. Stage 2 (sandbox env/network gap) weakens defense-in-depth: a model-compliance bypass or prompt injection could allow a postinstall script to use GITHUB_TOKEN against the live GitHub API from within the AWF container.
gh-aw version: v0.67.1
Original finding: https://github.com/githubnext/gh-aw-security/issues/1673
Generated by File Issue · ● 344.2K · ◷
Summary
Claude-backed gh-aw workflows install
@anthropic-ai/claude-code@lateston the bare host runner before the AWF firewall container is initialised. npm lifecycle scripts (preinstall/postinstall) therefore execute with unrestricted network access and withANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN, andGITHUB_TOKENall present in the process environment. A supply-chain compromise of the@latesttag (account takeover, dependency confusion, or malicious patch) would allow credential exfiltration before any sandbox or firewall control exists. Separately, inside the AWF sandbox the agent runs withregistry.npmjs.orgin the network allowlist andGITHUB_TOKENabsent from--exclude-env, meaning a postinstall script from an agent-installed package can reachapi.github.comwith live credentials. Version pinning is already documented as a supported capability (engine: version: "2.1.70") but is not the default.Affected Area
Claude engine — pre-sandbox host-runner install step (trust boundary: host runner before AWF sandbox initialisation); AWF agent sandbox network and environment boundary.
Reproduction Outline
.lock.yml(e.g.pentest-blogs-clinejection-ai-installs-ai.lock.yml): thenpm install -g@anthropic-ai/claude-code@lateststep precedesInstall AWF binary,Download container images, andStart MCP Gateway.ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN, andGITHUB_TOKENare declared in the same job environment and thus available to any npm lifecycle script during the install.Bashtool andregistry.npmjs.orgin the sandbox allowlist; a postinstall script in an agent-installed package can readGITHUB_TOKENand reachapi.github.com.Observed Behavior
npm install -g@anthropic-ai/claude-code@latestruns outside the AWF sandbox with full host credentials in scope. Inside the sandbox,GITHUB_TOKENis not excluded from the agent environment whileregistry.npmjs.organdapi.github.comare in the network allowlist.Expected Behavior
engine: version:frontmatter capability, or from a pre-baked container image, so that no lifecycle script runs with access to host-level secrets.GITHUB_TOKENshould be in--exclude-envand repository access should pass only through the GitHub MCP server.registry.npmjs.orgshould be absent from the allowlist unless the workflow task explicitly requires npm operations.Security Relevance
Stage 1 (pre-sandbox unpinned install) is a dangerous default that creates a concrete credential-exfiltration window independent of model behaviour; it affects all 24+ compiled Claude-backed lock files. Stage 2 (sandbox env/network gap) weakens defense-in-depth: a model-compliance bypass or prompt injection could allow a postinstall script to use
GITHUB_TOKENagainst the live GitHub API from within the AWF container.gh-aw version: v0.67.1
Original finding: https://github.com/githubnext/gh-aw-security/issues/1673