Comment and Control: Prompt Injection to Credential Theft in Claude Code, Gemini CLI, and GitHub Copilot Agent
By Aonan Guan, with Johns Hopkins University’s Zhengyu Liu and Gavin Zhong Press and interview requests welcome. Signal: (925) 860 9213 Three of the most widely deployed AI agents on GitHub Actions can be hijacked into leaking the host repository’s API keys and access tokens — using GitHub itself as the command-and-control channel. TL;DR Comment and Control — a play on Command and Control (C2) — is a class of prompt injection attacks where GitHub comments (PR titles, issue bodies, issue comments) hijack AI agents running in GitHub Actions Found across three agents: Anthropic Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent Impact: The host repository’s own GitHub Actions secrets (ANTHROPIC_API_KEY, GEMINI_API_KEY, GITHUB_TOKEN, and more) stolen from the runner environment by outside contributors First cross-vendor demonstration of this prompt injection pattern, coordinated disclosure from Anthropic, Google, and GitHub The Pattern These three (and many other) AI agents in GitHub Actions share the same flow: the agent reads GitHub data (PR title, issue body, comments), processes it as part of its task context, and executes tools based on the content. The injection surface is the GitHub data itself — PRs and issues crafted by outside contributors. The credentials stolen are the host repository’s own GitHub Actions secrets, configured by the project maintainers to power the agent. ...