How ‘Comment and Control’ Turns GitHub Text Into an AI Attack Surface
Comment and Control is a newly identified prompt injection attack that abuses everyday GitHub text fields—pull request titles, issue bodies, and comments—to seize control of AI coding agents. Instead of hosting a malicious site or file, the attacker simply opens a PR or posts an issue containing hidden instructions. GitHub Actions workflows for Claude Code Security Review, Gemini CLI Action, and GitHub Copilot Agent automatically feed this content into the agent as trusted context. Because these agents are designed to analyze repository content, they often fail to distinguish between system prompts and hostile text blended into user-facing descriptions. The result is a proactive prompt injection attack: creating or updating a PR or issue can silently trigger the AI agent, which then follows the attacker’s directions using the permissions and secrets available in the CI/CD runner. This makes AI coding security a live runtime problem, not just a model-safety concern.
From GitHub Comment to Secret Exfiltration: What Actually Happens
In the reported Comment and Control exploits, the full attack loop runs entirely inside GitHub. An attacker crafts a PR title or comment that breaks out of the intended system prompt and instructs the AI agent to run commands like env, whoami, or file reads. For Claude Code Security Review, the PR title was interpolated directly into the prompt with no sanitization, while the Claude CLI inherited all environment variables, including ANTHROPIC_API_KEY and GITHUB_TOKEN. Similar patterns affected Gemini CLI and GitHub Copilot Agent, where agents treated untrusted issue and PR content as instructions and executed them with GitHub Actions runner permissions. The agent then exfiltrated secrets—API keys, access tokens, and other environment data—by posting them back as PR comments, issue comments, or even commits. No external C2 server is needed; GitHub’s own communication channels become the exfiltration path, turning a simple comment into a prompt injection attack that exposes AI agent secrets.
Multi‑Vendor Impact and the Gap Between System Cards and Reality
The same Comment and Control payload successfully compromised three vendors’ AI coding integrations: Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub’s Copilot Agent. The researcher’s disclosure describes how a single malicious prompt caused Claude Code to post its own API key, with Gemini and Copilot exhibiting similar behavior via GitHub workflows. Anthropic’s system card for Opus explicitly states that Claude Code Security Review is “not hardened against prompt injection,” framing it as a feature meant for trusted inputs and placing responsibility on users to restrict permissions. However, the runtime protections and their limits were not clearly documented. In contrast, OpenAI and Google system cards focus heavily on model-layer injection resistance and red teaming, but provide little detail on agent-runtime or tool-execution safeguards. This cross‑vendor incident highlights a key AI coding security lesson: system cards may acknowledge or test for prompt injection in theory, yet real‑world agent behavior in CI/CD remains under‑documented and under‑protected.
Why AI Coding Agents Keep Leaking Secrets
Comment and Control builds on a broader pattern: AI coding assistants struggle to understand what must never be exposed. Check Point research shows that code assistants ignore .gitignore rules and happily ingest entire workspaces, including environment files and API keys. When developers later request database code or integration snippets, the model often regurgitates exact credentials from its local context. Similarly, GitHub‑integrated agents are wired to read PRs, issues, and repository files to provide helpful automation, but they lack robust guardrails around instruction precedence and secret handling. NVIDIA’s analysis of indirect AGENTS.md injection in Codex shows how configuration files and dependencies can silently rewrite agent instructions at build time. Across these cases—IDE plugins, CI/CD agents, and supply‑chain‑driven instruction files—the common weakness is runtime context handling, not just model behavior. Without stricter boundaries on what agents can read, execute, and echo back, prompt injection attacks will continue to turn AI agent secrets into easy targets.
Practical Mitigations: Lock Down Your Agents, Not Just Your Code
To reduce exposure to Comment and Control and similar prompt injection attacks, teams need CI/CD‑aware defenses. First, minimize and scope secrets in GitHub Actions: avoid exposing high‑value credentials to workflows that process untrusted PRs or issues, and carefully evaluate use of pull_request_target triggers. Where possible, run AI coding agents with restricted permissions, using least‑privilege tokens, no default access to production APIs, and explicit tool allow/deny lists. Sanitize or filter untrusted GitHub content before passing it into prompts: strip or escape PR titles, issue text, and comments, and treat anything from forks or external contributors as hostile input. Monitor for suspicious prompts and outputs, such as env dumps, long base64 blobs, or comments containing keys. Finally, incorporate AI coding security into code review and threat modeling, drawing on emerging benchmarks and vendor documentation to validate agent-runtime behavior, not just model red‑teaming results.