Claude Code

By Aonan Guan, with Johns Hopkins University’s Zhengyu Liu and Gavin Zhong Press and interview requests welcome. Signal: (925) 860 9213 Three of the most widely deployed AI agents on GitHub Actions can be hijacked into leaking the host repository’s API keys and access tokens — using GitHub itself as the command-and-control channel. TL;DR Comment and Control — a play on Command and Control (C2) — is a class of prompt injection attacks where GitHub comments (PR titles, issue bodies, issue comments) hijack AI agents running in GitHub Actions Found across three agents: Anthropic Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent Impact: The host repository’s own GitHub Actions secrets (ANTHROPIC_API_KEY, GEMINI_API_KEY, GITHUB_TOKEN, and more) stolen from the runner environment by outside contributors First cross-vendor demonstration of this prompt injection pattern, coordinated disclosure from Anthropic, Google, and GitHub The Pattern These three (and many other) AI agents in GitHub Actions share the same flow: the agent reads GitHub data (PR title, issue body, comments), processes it as part of its task context, and executes tools based on the content. The injection surface is the GitHub data itself — PRs and issues crafted by outside contributors. The credentials stolen are the host repository’s own GitHub Actions secrets, configured by the project maintainers to power the agent. ...

TL;DR Agent SkillSlip is a class of path traversal vulnerabilities in AI agent skill/plugin installers. The name field inside skill metadata is used directly in path.join() without validation, writing files to attacker-controlled locations — but the user only sees the archive filename or repository URL, not the internal metadata Found across three tools: Gemini CLI, Claude Code, and Vercel’s add-skill Impact ranges from VS Code terminal hijacking to SSH key injection add-skill fixed in PR #8 and PR #108. Gemini CLI and Claude Code remain unpatched as of writing The Pattern After installing a Gemini CLI skill: .vscode/settings.json injected, terminal hijacked ...

allowedDomains: [], “Empty array = no network access.” — Anthropic Sandbox Runtime Documentation The implementation did not match the documentation. When I configured Claude Code’s sandbox with allowedDomains: [], expecting complete network isolation, the sandbox was wide open and allowed connections to any server on the internet. Anthropic patched this quietly in Claude Code v2.0.55 with a changelog entry saying “Fix proxy DNS resolution” — no mention of a critical security flaw. They assigned CVE-2025-66479 to their runtime library but did not assign a CVE to their flagship product Claude Code. The changelog did not include a security advisory. In practice, the issue was fixed quietly and most users were unlikely to realize there was a security patch. ...