diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index bfc085d..2f517e7 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -103,4 +103,4 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           export CODEBASE_DESCRIPTION="${{ inputs.codebase-description }}"
-          curl -fsSL https://raw.githubusercontent.com/kernel/security-workflows/main/.github/workflows/semgrep-triage-prompt.md | envsubst '${GITHUB_REPOSITORY} ${CODEBASE_DESCRIPTION}' | agent -p --model ${{ secrets.CURSOR_PREFERRED_MODEL }} --force --output-format=text
+          curl -fsSL https://raw.githubusercontent.com/kernel/security-workflows/main/.github/workflows/semgrep-triage-prompt.md | envsubst '${GITHUB_REPOSITORY} ${CODEBASE_DESCRIPTION}' | agent -p --model ${{ vars.CURSOR_PREFERRED_MODEL }} --force --output-format=text
diff --git a/.github/workflows/vuln-remediation.yml b/.github/workflows/vuln-remediation.yml
index 03ce3cb..747a14c 100644
--- a/.github/workflows/vuln-remediation.yml
+++ b/.github/workflows/vuln-remediation.yml
@@ -297,7 +297,7 @@ jobs:
 
           if git diff --quiet; then
             export DATE="$(date -u +%Y-%m-%d)"
-            curl -fsSL https://raw.githubusercontent.com/kernel/security-workflows/${{ inputs.security-workflows-ref }}/.github/workflows/vuln-remediation/fix-prompt.md | envsubst '${GITHUB_REPOSITORY} ${DATE}' | agent -p --model ${{ secrets.CURSOR_PREFERRED_MODEL }} --workspace . --trust --force --output-format=text
+            curl -fsSL https://raw.githubusercontent.com/kernel/security-workflows/${{ inputs.security-workflows-ref }}/.github/workflows/vuln-remediation/fix-prompt.md | envsubst '${GITHUB_REPOSITORY} ${DATE}' | agent -p --model ${{ vars.CURSOR_PREFERRED_MODEL }} --workspace . --trust --force --output-format=text
           fi
 
       - name: Validate remediation diff
diff --git a/README.md b/README.md
index 02183fa..70c6b07 100644
--- a/README.md
+++ b/README.md
@@ -88,6 +88,11 @@ projectIgnorePaths:
 Consumer repos need these secrets (set at org or repo level):
 
 - `CURSOR_API_KEY` — for the triage/fix agents
-- `CURSOR_PREFERRED_MODEL` — model for agent invocations
 - `ADMIN_APP_ID` + `ADMIN_APP_PRIVATE_KEY` — GitHub App for write access
 - `SOCKET_API_TOKEN` — Socket.dev API token
+
+## Required variables
+
+Consumer repos need these variables (set at org or repo level):
+
+- `CURSOR_PREFERRED_MODEL` — model for agent invocations