Full Report
Researchers who found the flaws scored beer money bounties and warn the problem is probably pervasive Exclusive Security researchers hijacked three popular AI agents that integrate with GitHub Actions by using a new type of prompt injection attack to steal API keys and access tokens, and the vendors who run agents didn’t disclose the problem.…
Analysis Summary
# Vulnerability: "Comment-and-Control" Prompt Injection in AI GitHub Agents
## CVE Details
- **CVE ID**: None assigned (Vendors opted for bug bounties without public advisories)
- **CVSS Score**: 9.4 (Research context)
- **Severity**: Critical
- **CWE**: CWE-116 (Improper Encoding or Escaping of Output), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products**:
- Anthropic Claude Code Security Review (GitHub Action)
- Google Gemini CLI Action
- Microsoft GitHub Copilot (Agent-based PR/Issue workflow)
- **Versions**: All versions prior to November 2024; research indicates users "pinned" to older versions remain vulnerable.
- **Configurations**: Any repository where these AI agents are configured to automatically trigger on Pull Request (PR) titles, issue bodies, or comments.
## Vulnerability Description
The "Comment-and-Control" attack is a proactive form of Indirect Prompt Injection. Unlike traditional prompt injection which requires a user to ask an AI to process a malicious file, this flaw exploits the automated nature of GitHub Actions.
AI agents process untrusted GitHub metadata (PR titles, issue comments) as "context." Attackers can craft malicious instructions within these fields—sometimes hidden within HTML comments—to hijack the agent's tool-calling capabilities. Because these agents often have access to sensitive environments, they can be tricked into executing shell commands (via Bash tools) or leaking environment secrets (API keys, GitHub tokens) by posting them back as PR comments or security findings.
## Exploitation
- **Status**: PoC available; demonstrated to vendors via bug bounty programs.
- **Complexity**: Low (Requires only the ability to open a PR or comment on a public/accessible repository).
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: Critical (Complete theft of API keys, GitHub access tokens, and repository secrets).
- **Integrity**: High (Ability to execute commands and potentially modify code via the agent).
- **Availability**: Low (Primary focus is data exfiltration and unauthorized execution).
## Remediation
### Patches
- **Anthropic**: Updated `claude-code-security-review`. Users should ensure they are using the latest version and not pinned to outdated releases.
- **Google/Microsoft**: No specific version numbers provided, but flaws were acknowledged and addressed via backend updates/internal fixes.
### Workarounds
- **Require Approval**: Configure repositories to "Require approval for all external contributors" before GitHub Actions workflows are triggered.
- **Principle of Least Privilege**:
- Disable unused tools (e.g., if a bot only reviews code, disable its access to Bash/Shell execution).
- Limit the scope of GitHub tokens provided to the agents (Read-only vs. Write).
- **Manual Review**: Vigilantly inspect PR titles and metadata for unusual instructions or HTML comments.
## Detection
- **IOCs**:
- Unusual `whoami` or credential-access commands appearing in AI-generated PR comments.
- Bot comments containing JSON outputs of environment variables or API keys.
- PRs that are quickly edited or deleted after a bot responds (used to hide the trace of exfiltration).
- **Methods**: Audit GitHub Action logs for unexpected tool invocations and monitor bot-generated comments for sensitive patterns (e.g., `xoxp-`, `ghp_`, `sk-`).
## References
- Anthropic Documentation: hxxps://github[.]com/anthropics/claude-code-security-review
- Researcher Blog (Aonan Guan): hxxps://oddguan[.]com/blog/comment-and-control-prompt-injection-credential-theft-claude-code-gemini-cli-github-copilot/
- PoC Repository: hxxps://github[.]com/0dd/Claude-review-poc/pull/68