Comment and Control prompt injection vulnerabilities discovered in AI agents, including Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent.
“Comment and Control” is an indirect prompt-injection attack technique that exploits the core functionality of GitHub-integrated AI agents. The attack vector requires no external infrastructure.
Instead, it uses standard GitHub communication channels, such as pull request (PR) titles, issue descriptions, and comments, to deliver malicious instructions directly into the AI agent’s execution context.
The research, spearheaded by Aonan Guan and Johns Hopkins University researchers, highlights critical architectural flaws in how these AI tools process untrusted user input within GitHub workflows.
The vulnerability exists because these AI agents are designed to read and analyze repository content as part of their routine operations.
When an agent parses a manipulated PR or issue, it fails to differentiate between the developer’s system instructions and the attacker’s embedded payload.
Consequently, the agent executes the attacker’s commands using the permissions of the GitHub Actions runner, leading to the unauthorized exfiltration of environment variables, API keys, and access tokens.
Analyzing the Exploits by Agent
Claude Code Security Review
Anthropic’s Claude Code Security Review is a GitHub Action that automates PR security analysis.
The vulnerability stems from the agent interpolating PR titles directly into its prompt without proper sanitization.
In this scenario, an attacker can craft a PR title containing bash commands (e.g., whoami or ps auxeww).
Because the Claude CLI is invoked without explicitly disallowing specific tools, the subprocess inherits all environment variables, including ANTHROPIC_API_KEY and GITHUB_TOKEN.
The agent executes the injected commands and includes the extracted secrets in its JSON response, which is then posted publicly as a PR comment or silently recorded in the Actions log.
This flaw was rated a CVSS 9.4 (Critical) and was mitigated by Anthropic blocking the ps tool.
Google Gemini CLI Action
The Google Gemini CLI Action, which integrates Gemini into GitHub issue workflows, is similarly vulnerable. The agent’s prompt includes the issue title, body, and comments.
Attackers exploit this by appending a fabricated “Trusted Content Section” to their issue comments. This injection overrides Gemini’s foundational safety instructions, tricking the model into believing it is operating in a secure environment.
As a result, the agent willingly outputs the GEMINI_API_KEY directly into a public issue comment, exposing the credential to anyone viewing the repository.
GitHub Copilot Agent
The exploit against the GitHub Copilot Agent demonstrates a highly sophisticated bypass of multiple runtime-level security layers.
Unlike the visible injections used against Claude and Gemini, the Copilot attack utilizes an invisible payload hidden within an HTML comment inside a GitHub issue.
When a victim unknowingly assigns the seemingly benign issue to Copilot, the agent parses the raw Markdown, including the hidden HTML comment.
The attacker’s instructions command Copilot to execute ps auxeww | base64 and commit the output to a new PR .
This attack successfully bypassed three distinct security controls:
- Environment Filtering: Copilot attempts to filter sensitive variables from the bash subprocess, but the parent Node.js and MCP server processes retain their full environments. Running ps auxeww allows the bash subprocess to read the unfiltered environment of its parent processes.
- Secret Scanning: GitHub’s secret scanning API looks for specific token prefixes (e.g., ghs_). By forcing the agent to encode the output in base64, the attacker evades this detection mechanism.
- Network Firewall: While Copilot restricts outbound connections, GitHub.com is allowed. The exfiltration occurs via a standard git push to the repository, bypassing the firewall entirely.
The underlying cause of these vulnerabilities is an architectural conflict inherent to current AI agent deployments.
These agents require access to highly sensitive production secrets and powerful tools (such as bash execution and Git operations) to perform their intended tasks.
However, they must simultaneously process untrusted user-generated input, such as PRs and issues, which is an essential part of the software development lifecycle.
As long as AI agents combine the processing of untrusted data with access to critical infrastructure, they will remain susceptible to indirect prompt injection attacks, regardless of the prompt-level or model-level defenses in place.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
