OpenClaw Security Guide
Back to Threat Intel
sourcearticleAgent: OpenClaw

Comment and Control: Prompt Injection to Credential Theft in Claude Code, Gemini CLI, and GitHub Copilot Agent

The "Comment and Control" research write-up shows how GitHub pull request titles, issue bodies, and comments can steer hosted AI coding agents, with demonstrations against Claude Code Security Review, Gemini CLI Action, and GitHub Copilot Agent.

openclawagentic-aiprompt-injectioncredential-theftgithub-actions

Date

Apr 15, 2026

First Seen

Apr 15, 2026

Last Reviewed

May 4, 2026

Publisher

Aonan Guan

Source Type

article

View source

Related reading

OpenClaw Security Guide

A practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.

Securing OpenClaw with Armorer Guard

How Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.

Subscribe via RSSFollow on TelegramGet email updates

Get email updates

Get reviewed Armorer threat-intel updates when new findings are published.

Source Summary

What It Contains

The "Comment and Control" research write-up shows how GitHub pull request titles, issue bodies, and comments can steer hosted AI coding agents, with demonstrations against Claude Code Security Review, Gemini CLI Action, and GitHub Copilot Agent.

Extracted Claims

  • AI agents that process GitHub collaboration data can treat attacker-controlled PR titles, issue bodies, or issue comments as trusted instructions.
  • In the Claude Code Security Review case, a malicious PR title was reported to influence the agent into command execution and credential disclosure through a security-review comment or Actions log.
  • In the Gemini CLI Action case, issue/comment prompt injection was reported to induce disclosure of a Gemini API key in an issue comment.
  • In the GitHub Copilot Agent case, hidden HTML comments in an issue body were reported to influence the agent into committing encoded process/environment output, bypassing environment filtering, secret scanning, and network firewall controls described in the source.
  • The common root cause is co-location of untrusted text processing, powerful tools, git or comment write channels, and sensitive credentials in the same agent runtime.
  • The source reports disclosure timelines and bounty outcomes for Anthropic, Google, and GitHub cases.

Evidence Quality

Primary researcher report with technical details, screenshots, timelines, and references to vulnerability-program case numbers. The write-up is directly useful for Armorer threat modeling, but individual vendor remediation details should be verified against vendor advisories or code changes before treating a specific product version as currently exploitable.

Follow-Up

  • Track official vendor advisories, changelogs, or GitHub Action updates that confirm durable fixes.
  • Add detection logic examples if public Sigma, GitHub Actions, or runtime-monitoring rules emerge for encoded environment dumps, abnormal process inspection, or AI-agent comment exfiltration.
  • Use this as evidence for controls that separate untrusted repository content from secrets and write-capable tools.