Recently, a security researcher and their team at Johns Hopkins University discovered a vulnerability in GitHub Actions, specifically affecting Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub’s Copilot Agent (Microsoft). By injecting a malicious prompt into a GitHub pull request, the researcher was able to expose API keys. This exploit highlighted the security risks associated with AI agent integrations, showcasing the potential for unauthorized access without the need for external infrastructure.
The security researcher, Aonan Guan, along with Zhengyu Liu and Gavin Zhong from Johns Hopkins University, detailed their findings in a technical disclosure. They named the vulnerability “Comment and Control,” which took advantage of the way GitHub Actions handle secrets in pull requests triggered by AI agents. While GitHub Actions do not expose secrets by default in fork pull requests, workflows using pull_request_target, which are often required for AI agent integrations, inject secrets into the runner environment, potentially exposing them to unauthorized access.
Following the disclosure, Anthropic classified the vulnerability as critical, Google and GitHub awarded bounties for the findings, and all three vendors quietly patched the issue. However, no CVEs were issued for the vulnerabilities, and no security advisories were published through GitHub Security Advisories as of the time of reporting.
The exploit, known as Comment and Control, targeted a specific feature of Anthropic’s Claude Code Security Review, which was not designed to handle prompt injections. While the vendors patched the vulnerabilities, the incident shed light on the gaps between documented security measures and actual protection offered by these AI coding agents.
While OpenAI and Google did not provide comments on the matter, security experts emphasized the need for stronger security measures at the runtime level where AI agents operate. The incident underscored the importance of understanding the risks associated with AI agent integrations and ensuring robust security protocols are in place.
Key Points from the Incident
The incident highlighted the following key points:
- GitHub Actions are vulnerable to prompt injections, exposing API keys and other sensitive information.
- Vendors like Anthropic, Google, and GitHub awarded bounties for the findings but did not issue CVEs or publish security advisories.
- The exploit, named Comment and Control, showcased the need for stronger security measures in AI agent integrations.
- Understanding the risks associated with AI agent integrations is crucial for maintaining a secure development environment.
Overall, the incident serves as a reminder of the importance of robust security measures and thorough vulnerability assessments, especially when integrating AI agents into CI/CD pipelines.
