Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments

Prompt injection has long been a theoretical concern for large language models, but the “Comment and Control” technique proves it can be weaponized in real‑world CI/CD pipelines. By embedding malicious instructions in seemingly innocuous GitHub artifacts—pull‑request titles, issue bodies, or hidden HTML comments—the researchers showed that AI agents automatically ingest and act on untrusted data. This bypasses multiple defensive layers, from model‑level safeguards to GitHub’s runtime protections, turning routine automation into a covert attack vector.

The vulnerabilities span three high‑profile services: Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub’s Copilot Agent. In each case, the AI agent processes the injected prompt and invokes its built‑in tooling—bash shells, git commands, or API calls—allowing the attacker to retrieve credentials, push malicious code, or exfiltrate data directly to the repository’s logs. The researchers demonstrated credential theft from Claude Code, full API‑key extraction from Gemini CLI, and secret scanning evasion in Copilot Agent, highlighting the ease with which a single crafted comment can compromise an entire development workflow.

The broader implication is a warning to any organization that integrates AI assistants into its software supply chain. The shared architectural flaw—granting powerful execution rights and secret access to agents that also consume untrusted inputs—means the risk extends beyond GitHub to Slack bots, Jira automations, and email‑based agents. Vendors have responded with emergency patches and modest bug‑bounty rewards, but the episode underscores the need for stricter isolation, input sanitization, and policy controls. As AI agents become more pervasive, security teams must treat prompt injection as a critical vector, not a peripheral concern.