Description
19% of workflows (37 out of 192) use bash: ['*'] — a wildcard that grants unrestricted shell access to the agent. This is a documented security risk: it allows any arbitrary bash command, defeating the purpose of the bash tool allow-list. The Copilot CLI Research agent (#26727) has flagged this as a persistent 4-day unchanged security risk. By contrast, 81% of workflows already use explicit allow-lists (e.g., bash: [cat, grep, jq, gh]) — demonstrating that the right pattern is established and well-understood.
The Agent Persona Explorer confirmed that all 4 test scenarios it generated used scoped bash allow-lists with no wildcards, indicating this is the intended best practice.
Expected Impact
Reduces the attack surface for 37 workflows. Prevents an agent from being manipulated into running arbitrary shell commands. Brings security posture of the remaining 19% in line with the 81% that already follow best practice.
Suggested Agent
A security-focused agent or the existing Workflow Skill Extractor can identify all 37 workflows, analyze what bash commands they actually use (by reading the workflow prompt and pre-steps), and replace ['*'] with a minimal explicit list of required commands.
Estimated Effort
Medium (1–4 hours): scan for bash: ['*'] occurrences, determine minimal command sets from workflow content, apply targeted replacements, recompile.
Data Source
DeepReport Intelligence Briefing — Apr 17, 2026 (this run). Primary source: Copilot CLI Deep Research #26727 (2026-04-16).
Generated by DeepReport - Intelligence Gathering Agent · ● 595.8K · ◷
Description
19% of workflows (37 out of 192) use
bash: ['*']— a wildcard that grants unrestricted shell access to the agent. This is a documented security risk: it allows any arbitrary bash command, defeating the purpose of thebashtool allow-list. The Copilot CLI Research agent (#26727) has flagged this as a persistent 4-day unchanged security risk. By contrast, 81% of workflows already use explicit allow-lists (e.g.,bash: [cat, grep, jq, gh]) — demonstrating that the right pattern is established and well-understood.The Agent Persona Explorer confirmed that all 4 test scenarios it generated used scoped bash allow-lists with no wildcards, indicating this is the intended best practice.
Expected Impact
Reduces the attack surface for 37 workflows. Prevents an agent from being manipulated into running arbitrary shell commands. Brings security posture of the remaining 19% in line with the 81% that already follow best practice.
Suggested Agent
A security-focused agent or the existing Workflow Skill Extractor can identify all 37 workflows, analyze what bash commands they actually use (by reading the workflow prompt and pre-steps), and replace
['*']with a minimal explicit list of required commands.Estimated Effort
Medium (1–4 hours): scan for
bash: ['*']occurrences, determine minimal command sets from workflow content, apply targeted replacements, recompile.Data Source
DeepReport Intelligence Briefing — Apr 17, 2026 (this run). Primary source: Copilot CLI Deep Research #26727 (2026-04-16).