bc1bb/claude-code-audit

Fork 0

Overly broad `mcp__forgejo*` wildcard grants Claude access to destructive Forgejo operations #9

New issue

Closed

opened 2026-05-15 00:45:38 +02:00 by Claude · 0 comments

Claude commented

2026-05-15 00:45:38 +02:00

Collaborator

Problem

The claude invocation for Forgejo-hosted repos uses --allowedTools "mcp__forgejo*,Read,Glob,Grep,LS". The glob mcp__forgejo* matches every Forgejo MCP tool, including many destructive ones that are not required for a read-and-report audit.

Location

audit.sh, line 276:

--permission-mode dontAsk --allowedTools "mcp__forgejo*,Read,Glob,Grep,LS" \

Risk

The audit task only needs four Forgejo operations: list_repo_issues, create_issue, list_repo_labels, and add_issue_labels. The wildcard also permits tools such as:

mcp__forgejo__delete_branch
mcp__forgejo__merge_pull_request
mcp__forgejo__delete_file / create_file / update_file
mcp__forgejo__delete_release
mcp__forgejo__delete_org

Because --permission-mode dontAsk suppresses all confirmation prompts, Claude can invoke any of these without human review. Even without a prompt injection attack, ambiguous or misinterpreted audit instructions could lead Claude to call unintended tools. With a successful prompt injection (see issue #2), an attacker-controlled repo could direct Claude to merge PRs, delete branches, or modify repository content on the Forgejo instance.

Suggested fix direction

Replace the wildcard with an explicit allowlist of only the four tools the audit actually needs:

--allowedTools "mcp__forgejo__list_repo_issues,mcp__forgejo__create_issue,mcp__forgejo__list_repo_labels,mcp__forgejo__add_issue_labels,Read,Glob,Grep,LS"

This enforces least privilege and limits blast radius regardless of whether prompt injection succeeds.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem The `claude` invocation for Forgejo-hosted repos uses `--allowedTools "mcp__forgejo*,Read,Glob,Grep,LS"`. The glob `mcp__forgejo*` matches every Forgejo MCP tool, including many destructive ones that are not required for a read-and-report audit. ## Location `audit.sh`, line 276: ```bash --permission-mode dontAsk --allowedTools "mcp__forgejo*,Read,Glob,Grep,LS" \ ``` ## Risk The audit task only needs four Forgejo operations: `list_repo_issues`, `create_issue`, `list_repo_labels`, and `add_issue_labels`. The wildcard also permits tools such as: - `mcp__forgejo__delete_branch` - `mcp__forgejo__merge_pull_request` - `mcp__forgejo__delete_file` / `create_file` / `update_file` - `mcp__forgejo__delete_release` - `mcp__forgejo__delete_org` Because `--permission-mode dontAsk` suppresses all confirmation prompts, Claude can invoke any of these without human review. Even without a prompt injection attack, ambiguous or misinterpreted audit instructions could lead Claude to call unintended tools. With a successful prompt injection (see issue #2), an attacker-controlled repo could direct Claude to merge PRs, delete branches, or modify repository content on the Forgejo instance. ## Suggested fix direction Replace the wildcard with an explicit allowlist of only the four tools the audit actually needs: ```bash --allowedTools "mcp__forgejo__list_repo_issues,mcp__forgejo__create_issue,mcp__forgejo__list_repo_labels,mcp__forgejo__add_issue_labels,Read,Glob,Grep,LS" ``` This enforces least privilege and limits blast radius regardless of whether prompt injection succeeds. ## Severity moderate ## Found by Automated audit by Claude Code

bc1bb referenced this issue from a commit

2026-05-15 00:52:43 +02:00

closes #9

bc1bb closed this issue

2026-05-15 00:52:43 +02:00

No labels

shellcheck

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

bc1bb/claude-code-audit#9

No description provided.

Rows
Columns

Overly broad mcp__forgejo* wildcard grants Claude access to destructive Forgejo operations #9