Security Researcher Exposes Critical AI Agent Vulnerabilities in GitHub Workflows

In a groundbreaking disclosure that sent shockwaves through the AI security community, researchers from Johns Hopkins University have uncovered a fundamental flaw in how AI coding agents handle untrusted input in GitHub workflows, potentially exposing millions of organizations to credential theft and system compromise.

The “Comment and Control” Exploit: A Perfect Storm of AI and CI/CD Vulnerabilities

The vulnerability, dubbed “Comment and Control” by researchers Aonan Guan, Zhengyu Liu, and Gavin Zhong, demonstrates how malicious instructions embedded in GitHub pull request titles can hijack AI coding agents to exfiltrate sensitive API keys and secrets without requiring any external infrastructure.

The attack vector is deceptively simple yet devastatingly effective: a researcher opened a GitHub pull request, typed a malicious instruction into the PR title, and watched as Anthropic’s Claude Code Security Review action, Google’s Gemini CLI Action, and GitHub’s Copilot Agent (Microsoft) all posted their own API keys as comments in response.

“This isn’t just another security flaw—it’s a fundamental design gap in how we integrate AI agents into our development workflows,” said Merritt Baer, Chief Security Officer at Enkrypt AI and former Deputy CISO at AWS. “The runtime is the blast radius.”

Timeline of Disclosure and Patch Response

The vulnerability timeline reveals concerning disparities in how major AI companies respond to security threats:

• Anthropic: Classified as CVSS 9.4 Critical with a $100 bounty
• Google: Paid a $1,337 bounty for the discovery
• GitHub: Awarded $500 through the Copilot Bounty Program

Notably, despite the Critical rating, Anthropic’s $100 bounty was significantly lower than industry standards for such severe vulnerabilities. All three companies patched the vulnerabilities quietly, and as of publication, none had issued CVEs in the NVD or published security advisories through GitHub Security Advisories.

What Makes This Vulnerability So Dangerous

The exploit leverages a specific vulnerability in Claude Code Security Review, a GitHub Action feature that Anthropic’s own system card acknowledged is “not hardened against prompt injection.” The feature is designed to process trusted first-party inputs by default, but when users opt into processing untrusted external PRs and issues, they accept additional risk and are responsible for restricting agent permissions.

The attack chain is particularly insidious because it uses GitHub’s own API as the command and control channel. The agent reads its API key from the runner environment variable, encodes it in a PR comment body, and posts it through GitHub’s API—no attacker-controlled infrastructure required.

The Three-System Card Analysis: What Vendors Document vs. What They Protect

A comprehensive analysis of the system cards from Anthropic, OpenAI, and Google reveals significant gaps between what vendors document and what they actually protect:

Anthropic (Opus 4.7)

• System Card Depth: 232 pages with quantified hack rates and injection resistance metrics
• Cyber Verification Program: CVP removes cyber safeguards for vetted pentesters doing authorized offensive work
• Restricted Model Strategy: Mythos held back as capability preview; Opus 4.7 is the testbed
• Runtime Agent Safeguards: Claude Code Security Review explicitly “not hardened against prompt injection”

OpenAI (GPT-5.4)

• System Card Depth: Extensive red teaming documented, but no injection resistance rates published
• Cyber Verification Program: Trusted Access for Cyber (TAC) scales to thousands
• Restricted Model Strategy: No restricted model; full capability released with access gated
• Runtime Agent Safeguards: Not documented; TAC governs access, not agent operations

Google (Gemini 3.1 Pro)

• System Card Depth: Few pages; defers to older Gemini 3 Pro card
• Cyber Verification Program: None; Automated Red Teaming program remains internal only
• Restricted Model Strategy: No restricted model; no stated plan for one
• Runtime Agent Safeguards: Not documented

Seven Critical Threat Classes That Current Safeguards Miss

The researchers identified seven distinct threat classes that neither vendor safeguard approaches nor traditional security controls adequately address:

1. Deployment Surface Mismatch

Your team may be running a verified model on an unverified surface. CVP is designed for authorized offensive security research, not prompt injection defense, and does not extend to Bedrock, Vertex, or ZDR tenants.

2. CI Secrets Exposed to AI Agents

API keys, tokens, and production secrets stored as GitHub Actions env vars are readable by every workflow step, including AI coding agents. The agent can read these secrets from the runner environment and exfiltrate them through legitimate API calls.

3. Over-Permissioned Agent Runtimes

AI agents are granted excessive permissions (bash execution, git push, API write access) at setup and never scoped down. The Comment and Control agent had bash access it didn’t need for code review, which it used to read env vars and post exfiltrated data.

4. No CVE Signal for AI Agent Vulnerabilities

Despite CVSS 9.4 Critical ratings and patches from all three vendors, zero CVE entries exist in NVD. Your vulnerability scanner, SIEM, and GRC tools all show green despite active exploitation risks.

5. Model Safeguards Don’t Govern Agent Actions

Opus 4.7 blocks phishing email prompts but doesn’t block an agent from reading $ANTHROPIC_API_KEY and posting it as a PR comment. Safeguards gate generation, not operation.

6. Untrusted Input Parsed as Instructions

PR titles, PR body text, issue comments, code review comments, and commit messages are all parsed by AI coding agents as context and can contain injected instructions.

7. No Comparable Injection Resistance Data Across Vendors

Anthropic publishes quantified injection resistance rates; OpenAI and Google do not. Procurement has no baseline and no framework to require one.

Immediate Actions Required: Your 48-Hour Security Checklist

Security experts recommend immediate action on the following fronts:

1. Build a Deployment Map

Email your Anthropic and OpenAI account reps today with one question: “Confirm whether [your platform] and [your data retention config] are covered by your runtime-level prompt injection protections, and describe what those protections include.”

2. Audit Every Runner for Secret Exposure

Run: grep -r 'secrets\.' .github/workflows/ across every repo with an AI agent. List every secret the agent can access, rotate all exposed credentials, and migrate to short-lived OIDC tokens.

3. Fix Agent Permissions Repo by Repo

Strip bash execution from every AI agent doing code review. Set repository access to read-only. Gate write access (PR comments, commits, merges) behind a human approval step.

4. Add “AI Agent Runtime” to Your Supply Chain Risk Register

Assign a 48-hour patch verification cadence with each vendor’s security contact. Do not wait for CVEs—none have come yet for this class of vulnerability.

5. Prepare Procurement Questions

Write one sentence for your next vendor meeting: “Show me your quantified injection resistance rate for my model version on my platform.” Document refusals for EU AI Act high-risk compliance.

The Bigger Picture: Systemic Risk in AI Agent Design

“This isn’t about vendor-specific vulnerabilities,” Baer emphasized. “It’s about systemic risk in how we design AI agents. When you wire a powerful model into a permissive runtime, you’ve already done most of the attacker’s work for them.”

The Comment and Control exploit focuses on GitHub Actions today, but the seven threat classes generalize to most CI/CD runtimes where AI agents execute with access to secrets, including GitHub Actions, GitLab CI, CircleCI, and custom runners.

As AI agents become increasingly integrated into development workflows, the gap between what vendors document and what they protect becomes a critical security concern. The exploit proves that runtime-level protections—not just model-layer safeguards—are essential for securing AI agent deployments.

Tags & Viral Phrases:

• AI agent security vulnerability
• GitHub workflow compromise
• Prompt injection attack
• Credential theft via AI
• CI/CD security breach
• Anthropic Claude Code exploit
• Google Gemini CLI vulnerability
• GitHub Copilot Agent flaw
• Johns Hopkins security research
• Runtime-level AI protection
• Zero-day AI agent vulnerability
• Supply chain attack vector
• EU AI Act compliance risk
• OIDC token migration
• AI agent permission audit
• Comment and Control exploit
• System card security gaps
• CVSS 9.4 critical vulnerability
• AI runtime blast radius
• Agent composability risk
• Security by design failure
• Model safeguards vs agent operations
• Untrusted input processing
• AI agent runtime mapping
• 48-hour security response
• Enterprise AI security posture
• Vendor risk register update
• Quantified injection resistance
• Cyber verification program gaps
• AI agent permission scoping
• GitHub Actions security hardening
• AI agent runtime protections
• Enterprise AI security checklist
• AI agent deployment surface
• Runtime-level prompt injection
• AI agent secret exposure
• AI agent over-permissioning
• CVE signal gap
• AI agent safeguard limitations
• Input sanitization defense
• AI agent security architecture
• AI agent portability
• AI agent security standards
• AI agent runtime audit
• AI agent credential rotation
• AI agent security framework
• AI agent compliance requirements
• AI agent security metrics
• AI agent runtime verification
• AI agent security documentation
• AI agent risk assessment

,