GitHub workflow AI agents can leak credentials through comment-and-control prompt injection
Aonan Guan's "Comment and Control" write-up shows how attacker-controlled GitHub titles, issues, and comments can become prompt-injection channels for hosted coding agents with workflow credentials.
Date
Apr 15, 2026
First Seen
Apr 15, 2026
Last Reviewed
May 7, 2026
Publisher
Aonan Guan
Source Type
article
Related reading
OpenClaw Security GuideA practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.
Securing OpenClaw with Armorer GuardHow Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.
GitHub Workflow AI Agents Can Leak Credentials Through Comment-and-Control Prompt Injection
Summary
Aonan Guan's "Comment and Control" write-up shows how attacker-controlled GitHub titles, issues, and comments can become prompt-injection channels for hosted coding agents with workflow credentials.
Why It Matters
This failure mode is directly relevant to OpenClaw-style agent operations because it combines untrusted collaboration content, privileged tool use, and secrets in one runtime. Even when the agent is performing an intended SDLC task, hidden or adversarial instructions can steer it toward credential access, command execution, or outbound publication.
Attack Path
- An outside contributor submits attacker-controlled text in a pull request title, issue body, or issue comment.
- A GitHub workflow or assigned coding agent includes that text in the agent prompt/context.
- The agent runtime has access to shell tools, git operations, API tokens, model provider keys, or other environment credentials.
- The injected instructions cause the agent to inspect process/environment data or otherwise access secrets.
- The agent writes results back through a permitted GitHub channel such as a PR comment, issue comment, Actions log, or committed file.
Affected Surface
- AI coding agents triggered by
pull_request,pull_request_target,issues, orissue_commentworkflows. - Agents that read rendered or raw GitHub content from untrusted contributors.
- Runtimes where model context, command execution, git write access, and credentials are co-located.
- OpenClaw deployments that orchestrate coding agents or GitHub automation with broad local or CI credentials.
Evidence
- Primary researcher write-up: OddGuan source record.
- Related secondary synthesis: VentureBeat coding-agent credential exploit summary.
- The primary source reports coordinated disclosures and bounty outcomes for Anthropic, Google, and GitHub cases. Treat affected-product remediation status as source-reported unless confirmed through each vendor's advisory or changelog.
Mitigations
- Do not expose repository or organization secrets to workflows that process untrusted contributor input unless the workflow is tightly constrained.
- Prefer allowlisted tools and explicit command policies over broad shell access.
- Separate untrusted input processing from runtimes that hold deploy, provider, or repository-write credentials.
- Use short-lived, least-privilege tokens for agent workflows.
- Gate high-risk actions such as shell execution, credential access, public comments, commits, and pushes.
- Monitor agent runs for unexpected process inspection, environment dumping, encoded output files, anomalous comments, and unusual git activity.
- For local OpenClaw/Armorer operations, run untrusted repo tasks in containers with minimal mounted credentials and explicit oversight checkpoints.
Open Questions
- Which vendor mitigations fully remove the reported paths versus narrowing specific command or exfiltration techniques?
- How should GitHub-native exfiltration channels such as comments, commits, and logs be monitored without excessive false positives?
- Which OpenClaw task profiles should be prohibited from reading raw issue or PR content while holding write-scoped tokens?