Prompt Injection Threat: Claude Code, Gemini CLI, and Copilot Agent All Compromised

Vulnerability Overview

Researchers found that three popular AI agents running in GitHub Actions can be hijacked through a new class of prompt‑injection attacks, dubbed Comment and Control . By injecting malicious commands into PR titles, issue bodies, or hidden HTML comments, an attacker can cause the agent to execute arbitrary commands and steal the host repository’s API keys and tokens, all without leaving the GitHub platform.

Affected Agents

Anthropic Claude Code Security Review

Google Gemini CLI Action

GitHub Copilot Agent

The attack surface for each agent differs—Claude Code reads the PR title, Gemini CLI reads issue comments, and Copilot parses hidden HTML in issue bodies—but the underlying injection pattern is identical.

Attack Flow

All three agents share the same workflow: they ingest untrusted GitHub data (PR title, issue comment, or issue body), embed it in a prompt, and then run tool commands based on the prompt. The injected payload is executed, and the command output (including environment variables) is returned to the attacker via PR comments, issue comments, or a generated file in a pull request.

Claude Code – PR Title Injection

The agent concatenates the PR title directly into its security‑audit prompt without sanitisation. An attacker submits a PR with a malicious title that includes a newline to break out of the prompt context and inject commands such as whoami or ps auxeww. The agent executes the commands and returns the output in a JSON response, which appears as a PR comment. The leaked credentials (e.g., ANTHROPIC_API_KEY, GITHUB_TOKEN) also appear in the GitHub Actions log.

Gemini CLI – Issue Comment Injection

After confirming the Claude Code exploit, the researchers demonstrated the same technique on Gemini CLI. The action appends the entire issue content to an “Additional Content” section of the prompt. By adding a forged “Trusted Content” block after the legitimate content, the attacker overwrites Gemini’s safety instructions and forces the model to echo the GEMINI_API_KEY in an issue comment, exposing the full API key publicly.

Copilot Agent – Hidden HTML Injection

Copilot’s workflow differs: the attacker creates an issue whose visible text is harmless, but embeds malicious commands inside an HTML comment (e.g., <!-- ... whoami ... ps auxeww ... -->). The comment is invisible in the rendered Markdown but is parsed by the agent. When the issue is assigned to Copilot, the hidden payload runs, writes a base64‑encoded environment snapshot to running‑environment‑checkmark.txt, and opens a pull request containing the file. The file’s contents include the full process environment, revealing tokens such as GITHUB_TOKEN, GITHUB_COPILOT_API_TOKEN, and others.

Mitigations and Disclosure

Anthropic upgraded the CVSS score to 9.4 and added a --disallowed-tools 'Bash(ps:*)' flag to block the ps command. Google’s Vulnerability Reward Program awarded $1,337 for the Gemini report. GitHub initially marked the Copilot issue as “Informative” but later reopened it after the researchers provided reverse‑engineered evidence of the UU() filter bypass; the issue was then fixed and a $500 bounty awarded.

"The Action was not designed to resist prompt injection." – Anthropic

"This is a known architectural limitation; we are exploring stricter restrictions." – GitHub

Root Cause and Recommendations

The core problem is that AI agents are given powerful execution capabilities (bash, git push, API calls) and production credentials while processing untrusted GitHub data in the same runtime. Even multi‑layer defenses (model‑level, prompt‑level, runtime filters) can be bypassed because the injection occurs within the agent’s intended workflow.

Organizations should apply the principle of least privilege to AI agents: limit allowed tools with --allowed-tools, restrict token exposure (avoid GITHUB_TOKEN unless necessary), and enforce strict white‑listing of both tools and network destinations. Black‑listing specific commands is a reactive “whack‑a‑mole” approach that can be evaded.

Timeline

2025‑10‑17: Reported Claude Code vulnerability (HackerOne #3387969).

2025‑10‑29: Reported Gemini CLI vulnerability (Google VRP #1609699).

2025‑11‑25: Anthropic released fix and $100 bounty.

2026‑01‑20: Gemini CLI bounty awarded ($1,337).

2026‑02‑08: Reported Copilot vulnerability (HackerOne #3544297).

2026‑03‑04: Copilot issue reopened; fix deployed and $500 bounty awarded.

FAQ

What is "Comment and Control"?

It is a prompt‑injection attack where the attacker uses GitHub data (PR title, issue body, or comment) to hijack an AI agent running in GitHub Actions, turning the platform itself into the command‑and‑control channel.

Is this just another indirect prompt injection?

No. Classic indirect injection waits for a human to trigger the model. Comment and Control is proactive: the GitHub Actions workflow automatically invokes the agent on pull‑request, issue, or comment events, requiring no victim interaction.

Which credentials can be stolen?

Any secret available to the workflow, including ANTHROPIC_API_KEY, GEMINI_API_KEY, GITHUB_TOKEN, GITHUB_COPILOT_API_TOKEN, GITHUB_PERSONAL_ACCESS_TOKEN, and COPILOT_JOB_NONCE, as well as any custom repository or organization secrets.

How should organizations think about AI‑agent security?

Treat each agent like a new employee: grant only the tools and secrets it truly needs, enforce strict white‑listing, and avoid giving production tokens to agents that do not require them.