diff --git a/.github/workflows/claude-auto-fix-ci.yml b/.github/workflows/claude-auto-fix-ci.yml
index 993545c6a..ec918c519 100644
--- a/.github/workflows/claude-auto-fix-ci.yml
+++ b/.github/workflows/claude-auto-fix-ci.yml
@@ -15,9 +15,19 @@ permissions:
 
 jobs:
   auto-fix:
+    # Only run when the failing CI run came from a PR pushed to a branch in
+    # *this* repository. workflow_run executes in the base-repo context with
+    # access to repository secrets (CLAUDE_CODE_OAUTH_TOKEN, SUPERMEMORY_API_KEY,
+    # write-scoped GITHUB_TOKEN); checking out arbitrary PR code in that context
+    # is the canonical "pwn request" pattern. github.event.workflow_run.pull_requests
+    # is documented to be empty for fork PRs, but we add an explicit
+    # head_repository == repository check so the security intent is visible in
+    # the workflow file and not dependent on an implicit GitHub-side guarantee.
+    # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
     if: |
       github.event.workflow_run.conclusion == 'failure' &&
-      github.event.workflow_run.pull_requests[0]
+      github.event.workflow_run.pull_requests[0] &&
+      github.event.workflow_run.head_repository.full_name == github.event.workflow_run.repository.full_name
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code