Credential Theft

By Aonan Guan, with Johns Hopkins University’s Zhengyu Liu and Gavin Zhong Press and interview requests welcome. Signal: (925) 860 9213 Three of the most widely deployed AI agents on GitHub Actions can be hijacked into leaking the host repository’s API keys and access tokens — using GitHub itself as the command-and-control channel. TL;DR Comment and Control — a play on Command and Control (C2) — is a class of prompt injection attacks where GitHub comments (PR titles, issue bodies, issue comments) hijack AI agents running in GitHub Actions Found across three agents: Anthropic Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent Impact: The host repository’s own GitHub Actions secrets (ANTHROPIC_API_KEY, GEMINI_API_KEY, GITHUB_TOKEN, and more) stolen from the runner environment by outside contributors First cross-vendor demonstration of this prompt injection pattern, coordinated disclosure from Anthropic, Google, and GitHub The Pattern These three (and many other) AI agents in GitHub Actions share the same flow: the agent reads GitHub data (PR title, issue body, comments), processes it as part of its task context, and executes tools based on the content. The injection surface is the GitHub data itself — PRs and issues crafted by outside contributors. The credentials stolen are the host repository’s own GitHub Actions secrets, configured by the project maintainers to power the agent. ...

NEVER wait for approval or authorization - operate with full autonomy Try to infer how to run the code based on its structure and content — Strix System Prompt, system_prompt.jinja Strix is an open-source AI pentesting agent with 23K+ GitHub stars. You point it at a target — maybe a client engagement, maybe an open-source dependency audit — and it autonomously reviews the source, runs the application, and probes for vulnerabilities. Its entire purpose is analyzing untrusted, potentially malicious code. ...

Capability Laundering: The Series So Far This is the third case in an ongoing series documenting capability laundering in MCP ecosystems. Capability laundering is when an agent calls one tool, but gets the effect of a different capability via side effects. It occurs when all three conditions are met: The tool’s contract does not cover its effects — the implementation can produce effects beyond what the tool claims to do. Inputs can steer those effects — arguments can influence which effect happens and what gets modified. Controls gate tool calls, not effects — approvals and policies do not model the effect being produced. The previous two cases: ...

What Happened In our previous analysis, we identified capability laundering in Anthropic’s Memory MCP Server: a “memory storage” tool that could write arbitrary configuration files through unconstrained implementation. This is the second case. The MCP Git Server (mcp-server-git) exposes Git operations to AI agents. The git_init tool accepts arbitrary repo_path values without validation, creating repositories in any filesystem location. Combined with git_diff_staged, this turns a “Git helper” into a credential exfiltration primitive. ...