diff --git a/.changeset/patch-fix-allocation-overflow-bash-tool-merging.md b/.changeset/patch-fix-allocation-overflow-bash-tool-merging.md
new file mode 100644
index 0000000000..5fc3565ccb
--- /dev/null
+++ b/.changeset/patch-fix-allocation-overflow-bash-tool-merging.md
@@ -0,0 +1,7 @@
+---
+"gh-aw": patch
+---
+
+Security Fix: Allocation Size Overflow in Bash Tool Merging (Alert #7)
+
+Fixed a potential allocation size overflow vulnerability (CWE-190) in the workflow compiler's bash tool merging logic. The fix implements input validation, overflow detection, and reasonable limits to prevent integer overflow when computing capacity for merged command arrays. This is a preventive security fix that maintains backward compatibility with no breaking changes.
diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go
index 8f8543e089..d752158fdc 100644
--- a/pkg/workflow/compiler.go
+++ b/pkg/workflow/compiler.go
@@ -1488,8 +1488,8 @@ func (c *Compiler) applyDefaultTools(tools map[string]any, safeOutputs *SafeOutp
 					}
 				}
 
-				// Start with default commands
-				mergedCommands := make([]any, 0, len(constants.DefaultBashTools)+len(bashArray))
+				// Start with default commands (append handles capacity automatically)
+				var mergedCommands []any
 				for _, cmd := range constants.DefaultBashTools {
 					if !existingCommands[cmd] {
 						mergedCommands = append(mergedCommands, cmd)