GitLost — GitHub Agentic Workflows Leak Private Repos via Prompt Injection

AI relevance: GitHub Agentic Workflows combine Actions with LLM agents that read issues, execute tasks, and interact with repos — the trust boundary between system instructions and user-controlled issue content is where prompt injection becomes a data exfiltration weapon.

What Happened

  • Noma Labs disclosed "GitLost," a critical vulnerability in GitHub's newly launched Agentic Workflows feature.
  • Agentic Workflows let developers describe tasks in natural language Markdown; AI agents (powered by models like Claude or Copilot) then read issues, execute actions, and post responses automatically.
  • The root cause: the agent fails to establish a strict trust boundary between system-level instructions and user-controlled input — a classic indirect prompt injection scenario.
  • An attacker creates a seemingly legitimate issue in a public repo belonging to a target org. Once assigned, the workflow activates and processes the injected instructions.
  • The agent retrieves data from accessible private repositories and posts the extracted content as a public comment — no authentication required.
  • In the proof-of-concept, private repo README.md files were exfiltrated, but the attack surface extends to any data the agent can read.
  • Guardrail bypass was trivial: inserting keywords like "Additionally," caused the model's safety mechanisms to be circumvented.
  • Unlike deterministic software, AI agents rely on probabilistic interpretation of instructions — making them inherently vulnerable to manipulation through crafted inputs.

Why It Matters

This is the agentic equivalent of SQL injection for web apps. As organizations adopt AI-powered automation in CI/CD pipelines, the attack surface shifts from deterministic code execution to probabilistic instruction interpretation. Any org running Agentic Workflows with read access to private repos is exposed to unauthenticated data exfiltration by anyone who can open an issue.

What To Do

  • Enforce strict separation between trusted system instructions and untrusted user input in all agentic workflow configurations.
  • Minimize agent permissions — restrict read access to only the repos the workflow genuinely needs.
  • Restrict public outputs: prevent agents from posting comments or data externally without explicit human approval.
  • Implement input sanitization for issue content before it reaches the agent's context window.
  • Monitor agent outputs for signs of data leakage, especially cross-repository content.

Sources