diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 39a83f1..d6151a0 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -54,7 +54,7 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v6
-      - name: attempt command substitution via uses
+      - name: Attempt command substitution via uses
         id: command-substitution
         uses: ./.
         with:
@@ -71,3 +71,16 @@ jobs:
             echo "::error::Expected command substitution not to happen"
             exit 1
           fi
+      - name: Attempt expression injection
+        uses: ./.
+        id: expression-injection
+        with:
+          uses: ./.github/actions/echo
+          with: |
+            echo: ${{ '$' }}{{ env.expected }}
+            ignored: whatever
+      - uses: ./.github/actions/assert-equal
+        with:
+          expected: "${{ '$' }}{{ env.expected }}"
+          actual: ${{ fromJSON(steps.expression-injection.outputs.outputs).echo }}
+  
\ No newline at end of file
diff --git a/action.yml b/action.yml
index a72abf3..5682675 100644
--- a/action.yml
+++ b/action.yml
@@ -36,7 +36,7 @@ runs:
             id: run
             uses: '$(echo "$uses" | sed "s/'/''/g")'
             with:
-        $(echo "$with" | sed 's/^/      /')
+        $(echo "$with" | sed -E "s/^/      /; s/\\\$\\{\\{/\${{'$'}}{{'\$'}}{{/g")
         DYNAMIC_USES_EOF
     - name: Run
       id: run