Critical "Comment and Control" Vulnerabilities Expose AI Agents in GitHub Workflows
Researchers from Johns Hopkins University, led by Aonan Guan, have uncovered a series of indirect prompt-injection vulnerabilities in AI agents integrated with GitHub, including Anthropic’s Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent. Dubbed "Comment and Control," these attacks exploit GitHub’s standard communication channels such as pull request (PR) titles, issue descriptions, and comments to execute malicious commands without requiring external infrastructure.
How the Attacks Work
The vulnerabilities stem from AI agents’ inability to distinguish between legitimate system instructions and attacker-embedded payloads. When parsing manipulated GitHub content, the agents execute the injected commands under the permissions of the GitHub Actions runner, leading to the unauthorized exfiltration of environment variables, API keys, and access tokens.
Agent-Specific Exploits
-
Claude Code Security Review
- Flaw: PR titles are interpolated into the agent’s prompt without sanitization.
- Impact: Attackers embed bash commands (e.g.,
whoami,ps auxeww) in PR titles, causing the agent to execute them and expose secrets likeANTHROPIC_API_KEYandGITHUB_TOKENin PR comments or logs. - Severity: Rated CVSS 9.4 (Critical). Anthropic mitigated the issue by blocking the
pstool.
-
Google Gemini CLI Action
- Flaw: The agent processes issue titles, bodies, and comments as part of its prompt.
- Impact: Attackers append a fake "Trusted Content Section" to issue comments, overriding Gemini’s safety instructions. The agent then outputs the
GEMINI_API_KEYin a public issue comment.
-
GitHub Copilot Agent
- Flaw: A stealthier attack uses hidden HTML comments in GitHub issues to bypass multiple security layers.
- Impact: When a victim assigns an issue to Copilot, the agent parses the hidden payload, executes
ps auxeww | base64, and commits the encoded environment variables to a new PR. The attack evades:- Environment filtering (by reading parent process memory).
- Secret scanning (via base64 encoding).
- Network firewalls (exfiltrating via
git push).
Root Cause & Broader Implications
The vulnerabilities highlight a fundamental architectural conflict in AI agent deployments: these tools require access to sensitive secrets and powerful execution environments (e.g., bash, Git operations) while simultaneously processing untrusted user input a core part of software development workflows. Until this conflict is addressed, indirect prompt-injection attacks will remain a persistent threat, regardless of model-level defenses.
The findings underscore the need for strict input sanitization, least-privilege execution, and runtime isolation in AI-driven automation tools.
Source: https://gbhackers.com/claude-code-gemini-cli-and-github-copilot-exposed/
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
"id": "GITANT1776774649",
"linkid": "github, anthropicresearch",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'AI/Technology',
'name': 'Anthropic',
'type': 'Company'},
{'industry': 'AI/Technology',
'name': 'Google',
'type': 'Company'},
{'industry': 'Software Development/Technology',
'name': 'GitHub (Microsoft)',
'type': 'Company'}],
'attack_vector': ['Pull Request Titles',
'Issue Descriptions',
'Issue Comments',
'Hidden HTML Comments'],
'data_breach': {'data_encryption': ['Base64 encoding used in GitHub Copilot '
'Agent attack'],
'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Environment Variables',
'API Keys',
'Access Tokens']},
'description': 'Researchers from Johns Hopkins University uncovered indirect '
'prompt-injection vulnerabilities in AI agents integrated with '
'GitHub, including Anthropic’s Claude Code Security Review, '
'Google Gemini CLI Action, and GitHub Copilot Agent. These '
"attacks, dubbed 'Comment and Control,' exploit GitHub’s "
'standard communication channels (PR titles, issue '
'descriptions, and comments) to execute malicious commands '
'without external infrastructure, leading to unauthorized '
'exfiltration of environment variables, API keys, and access '
'tokens.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'AI-driven security tools',
'data_compromised': ['Environment Variables',
'API Keys',
'Access Tokens'],
'operational_impact': 'Unauthorized command execution and data '
'exfiltration',
'systems_affected': ['GitHub Workflows', 'AI Agents']},
'lessons_learned': 'The vulnerabilities highlight a fundamental architectural '
'conflict in AI agent deployments: tools require access to '
'sensitive secrets and powerful execution environments '
'while processing untrusted user input. Strict input '
'sanitization, least-privilege execution, and runtime '
'isolation are critical to mitigating such risks.',
'post_incident_analysis': {'root_causes': "AI agents' inability to "
'distinguish between legitimate '
'system instructions and '
'attacker-embedded payloads in '
'GitHub content, combined with '
'excessive permissions granted to '
'agents.'},
'recommendations': ['Implement strict input sanitization for AI agents '
'parsing untrusted content',
'Enforce least-privilege execution environments',
'Adopt runtime isolation for AI-driven automation tools',
'Enhance monitoring and filtering of AI agent '
'interactions with external systems'],
'references': [{'source': 'Johns Hopkins University Research'}],
'response': {'containment_measures': ['Anthropic blocked the `ps` tool']},
'title': "Critical 'Comment and Control' Vulnerabilities Expose AI Agents in "
'GitHub Workflows',
'type': 'Indirect Prompt-Injection Vulnerability',
'vulnerability_exploited': 'Lack of input sanitization in AI agents parsing '
'GitHub content'}