AI Agents Expose GitHub Secrets Through Comment Injection

Security researcher Aonan Guan, with collaborators at Johns Hopkins University, published a prompt-injection attack class called "Comment and Control" that abuses GitHub as the delivery and control channel to hijack AI agents running in GitHub Actions. Confirmed victims include Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub Copilot Agent. The Claude issue earned a CVSS 9.4 rating when PR titles were interpolated into the system prompt and used to execute shell commands that exposed secrets such as ANTHROPIC_API_KEY and GITHUB_TOKEN. Google awarded a small bounty (reported $1,337) for a Gemini CLI proof-of-concept. Guan said, "I bypassed all of them." He also warned that vendors have not broadly warned users: "If they don't publish an advisory, those users may never know they are vulnerable."

The attack exploits an architectural pattern common to many agent integrations: agents ingest untrusted GitHub text as part of their task context, and the same runtime that executes agent tools has access to production secrets. The technique has three practical vectors: PR titles, issue bodies/comments, and hidden HTML comments. The PoCs leveraged bash tools and OS commands such as whoami and ps auxeww to surface environment variables and process state. Key technical observations include:

• •Agents interpolating GitHub metadata directly into prompts without sanitization or input classification.
• •Execution contexts inheriting full environment variables from the GitHub Actions runner, exposing secrets like ANTHROPIC_API_KEY, GITHUB_TOKEN, and GEMINI_API_KEY.
• •For GitHub Copilot Agent, the researcher bypassed three runtime defenses (environment filtering, secret scanning, network firewall) by hiding payloads in HTML comments, using ps to read parent process environments, and base64 encoding to evade scanners.

This is not a localized bug; it reveals a systemic engineering tradeoff in agent architectures. Many teams grant agents runtime tool access and secrets to automate diagnostics, remediation, and deployment. That convenience creates attack surface when inputs are not treated as adversarial. The attack pattern generalizes beyond GitHub Actions to any agent that processes external text while retaining access to tools and secrets: Slack bots, Jira/email agents, and CI/CD automation are all at risk. The vendors involved provided bug bounties but did not universally publish advisories or CVEs, which raises operational risk because maintainers may remain pinned to vulnerable versions without knowing it.

Effective defenses are engineering controls that change the threat model rather than signature patches. Recommended mitigations include input sanitization and classification, strict separation of agent tool runtime from production secrets, least-privilege GitHub Actions tokens, ephemeral scoped credentials, disabling unsafe tool access by default, and treating any external text as untrusted by default. Secret scanning and network egress controls must operate across process boundaries, not just within language runtimes. Vendors have already applied targeted mitigations (for example, Anthropic blocked the ps tool), but broad architecture changes are required to eliminate the class.

Watch for vendor advisories, CVEs, and coordinated disclosure timelines from Anthropic, Google, and Microsoft/GitHub. Expect new hardening patterns in official Actions templates: more use of ephemeral runner tokens, explicit deny-lists for tooling, and offloading potentially dangerous tool execution to isolated runtimes. Also monitor for automated scanners and CI linter rules that flag agents ingesting untrusted GitHub content without sandboxing.