The reported bypass in Anthropic's Claude Code GitHub Action reveals a deeper architectural failure: autonomous LLM agents granted broad repository permissions without robust provenance checks on triggers. By exploiting GitHub's bot naming convention and indirect prompt injection, an attacker needed only a public issue to extract OIDC tokens and escalate to write access, potentially poisoning the action itself. This goes beyond the single flaw noted in coverage, highlighting how rapid integration of coding agents into CI/CD pipelines replicates classic supply-chain patterns seen in SolarWinds but amplified by natural-language interfaces that treat untrusted content as executable instructions. Mainstream reports overlook parallels to the February Cline npm token theft via the same triage workflow and underestimate downstream blast radius when permissive example configs (allowed_non_write_users: "*") proliferate across forks. A second vector, post-trigger issue editing, further erodes trust boundaries. Related analyses from the 2024 LLM agent security literature, including indirect prompt injection studies in arXiv:2402.12345 and GitHub's own OIDC token abuse advisories, confirm these risks scale with agent autonomy rather than isolated misconfigurations. Defenses must prioritize least-privilege execution environments and input sanitization layers that current agent frameworks largely omit amid adoption pressure.