diff --git a/lib/env.sh b/lib/env.sh
index 0c7a71b..f37cb1a 100755
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -232,6 +232,33 @@ forge_api_all() {
   printf '%s' "$all_items"
 }
 
+# =============================================================================
+# DIRECT CURL API CALLS WITH URL VALIDATION
+# =============================================================================
+# These helpers provide a consistent way to make authenticated API calls
+# with URL validation to prevent injection attacks.
+# =============================================================================
+
+# forge_api_call - Direct curl call with URL validation
+# Usage: forge_api_call "GET /issues" [extra_args...]
+forge_api_call() {
+  local url="$1"
+  shift
+
+  # Validate FORGE_API to prevent URL injection
+  if ! validate_url "$FORGE_API"; then
+    echo "ERROR: FORGE_API validation failed - possible URL injection attempt" >&2
+    return 1
+  fi
+
+  curl -sf -X "${url%% *}" \
+    -H "Authorization: token ${FORGE_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${FORGE_API}${url#* }" "$@"
+}
+# Backwards-compat alias
+codeberg_api_all() { forge_api_all "$@"; }
+
 # =============================================================================
 # WOODPECKER API HELPER
 # =============================================================================