[task] Fix template injection vulnerabilities in Setup MCPs steps

[github-actions]

Objective

Add input validation and use intermediate variables to prevent template injection in "Setup MCPs" steps across affected workflows.

Context

Template expansion without validation in "Setup MCPs" steps creates code injection vulnerabilities (LOW severity). This affects 8 occurrences across 3 workflows. While low severity, these should be fixed to prevent potential exploitation.

Related to discussion #3120 - Static Analysis Report finding #3.

Approach

1. Identify all template expansions in "Setup MCPs" steps
2. Add input validation for template variables
3. Use intermediate environment variables instead of direct template expansion
4. Follow the pattern: assign to env var, then use the env var in script

Files to Modify

• .github/workflows/duplicate-code-detector.md - Fix 4 template injection occurrences
• .github/workflows/mcp-inspector.md - Fix 1 template injection occurrence
• .github/workflows/smoke-codex.md - Fix 4 template injection occurrences
• Recompile all affected workflows with gh aw compile

Example Fix Pattern

# Before (vulnerable)
- name: Setup MCPs
  run: |
    echo "Processing ${{ inputs.value }}"

# After (safe)
- name: Setup MCPs
  env:
    VALIDATED_INPUT: ${{ inputs.value }}
  run: |
    echo "Processing $VALIDATED_INPUT"

Acceptance Criteria

• All 8 template injection occurrences fixed
• Template inputs assigned to environment variables first
• Scripts use environment variables instead of direct expansion
• All workflows compile successfully
• Zizmor scan shows no template-injection findings for these workflows
  Related to 🔍 Static Analysis Report - November 4, 2025 #3120

AI generated by Plan Command for discussion #3120