Comment and Control — Prompt Injection to Credential Theft in Claude Code, Gemini CLI, and Copilot Agent

AI relevance: Coding agents running in GitHub Actions inherit repository secrets (API keys, tokens) as environment variables, so prompt injection through PR titles, issue bodies, or comments directly translates into credential theft across three major vendor platforms simultaneously.

• Researcher: Aonan Guan, with Zhengyu Liu and Gavin Zhong from Johns Hopkins University
• Attack name: "Comment and Control" — wordplay on C2 (command and control), using GitHub comments as the injection channel
• Cross-vendor impact: First coordinated disclosure affecting Anthropic, Google, and GitHub coding agents
• Claude Code Security Review (CVSS 9.4 Critical): PR title interpolated directly into prompt with no sanitization; Claude CLI invoked without --disallowed-tools or --allowed-tools, inheriting all env vars including ANTHROPIC_API_KEY and GITHUB_TOKEN
• Attack technique: Malicious PR title breaks out of prompt context, instructs Claude to run env or ps auxeww | grep and embed results in JSON findings posted as PR comments
• Stealth path: Credentials also leak through GitHub Actions logs — a channel normal users rarely inspect
• Google Gemini CLI Action: Issue body and comments included in prompt; attacker injects fake "Trusted Content Section" to override safety instructions, Gemini posts GEMINI_API_KEY publicly as issue comment
• GitHub Copilot Agent (SWE Agent): Most sophisticated target — GitHub added environment filtering, secret scanning, and network firewall defenses; researcher bypassed all three layers
• Bounty results: Anthropic $100, Google VRP $1,337
• Anthropic fix: Added --disallowed-tools 'Bash(ps:*)' to block process enumeration; stated the action "is not designed to be hardened against prompt injection"
• Fundamental gap: All three agents share the same flow — read GitHub data, process as prompt context, execute tools — meaning any external contributor input becomes an attack surface

Why it matters

AI coding agents are increasingly deployed in CI/CD pipelines with broad repository access. This research demonstrates that the entire loop — injection, execution, and exfiltration — can happen within GitHub's own platform, with no external infrastructure required. The fact that three independent vendors share the same vulnerability pattern suggests the entire class of GitHub-hosted AI agents needs architectural rethinking, not just vendor-specific patches. Anthropic's response that the tool "is not designed to be hardened against prompt injection" highlights a systemic disconnect between how these agents are deployed and the threat model they operate under.

What to do

• Audit AI agent Actions: Review all GitHub Actions that invoke AI agents and check for secret exposure in runner environments
• Use --disallowed-tools and --allowed-tools: Explicitly restrict tool access when invoking Claude CLI or similar agents
• Branch protection rules: Require maintainer approval before AI agents run on PRs from forks or external contributors
• Rotate secrets: If you run any affected agent, rotate repository secrets and API keys immediately
• Monitor Actions logs: The stealth exfiltration path through Actions logs means attackers can retrieve credentials without any visible PR comment

References

• Original research — Comment and Control by Aonan Guan
• SecurityWeek coverage
• Anthropic fix commit — disallow ps tool
• PoC repository — Claude Code Security Review