The “Comment and Control” Paradigm: Unmasking Critical Indirect Prompt Injection in AI Dev Agents
As AI agents transition from simple chatbots to autonomous participants in the software development lifecycle (SDLC), a dangerous new attack surface has emerged. Recent research has identified a class of vulnerabilities known as “Comment and Control”, which allows attackers to hijack AI agents—specifically those integrated into GitHub workflows—to exfiltrate sensitive credentials and execute unauthorized commands.
The groundbreaking study, led by Aonan Guan and researchers from Johns Hopkins University, exposes deep-seated architectural flaws in how industry-leading tools like Claude Code, Google Gemini CLI, and GitHub Copilot handle untrusted data. These findings suggest that current mitigation strategies may be insufficient against sophisticated indirect prompt injection.

Unlike direct prompt injection, where a user interacts maliciously with a model, “Comment and Control” is an indirect technique. The attacker doesn’t need to interact with the AI directly; instead, they embed malicious instructions within standard GitHub communication channels—such as Pull Request (PR) titles, issue descriptions, or comments. When an integrated AI agent parses these elements to assist a developer, it inadvertently ingests the attacker’s payload into its own execution context.
The fundamental failure lies in contextual ambiguity: the agent cannot distinguish between legitimate developer instructions and malicious payloads embedded in the repository’s metadata. Once the payload is ingested, the agent executes commands with the full permissions of the GitHub Actions runner, leading to the exposure of API keys, environment variables, and access tokens.
Deep Dive: Vulnerability Analysis by Agent
Claude Code Security Review (Anthropic)
Anthropic’s Claude Code Security Review is designed to automate the heavy lifting of PR security audits. However, the research found that the agent performs direct interpolation of PR titles into its system prompts without sufficient sanitization.
By titling a PR with a malicious bash payload (e.g., whoami or ps auxeww), an attacker can force the agent to run local system commands. Because the Claude CLI is invoked in a manner that allows subprocesses to inherit the environment, it gains access to highly sensitive variables like ANTHROPIC_API_KEY and GITHUB_TOKEN. The agent then inadvertently includes these secrets in its JSON response, which is subsequently posted as a public PR comment. This critical flaw received a CVSS score of 9.4 and was eventually mitigated by Anthropic restricting the use of the ps tool.

Google Gemini CLI Action
The Google Gemini CLI Action follows a similar pattern of failure. Because the agent’s operational prompt includes the entirety of an issue’s context (title, body, and comments), it is highly susceptible to “instruction overriding.”
Attackers use a technique of appending a fabricated “Trusted Content Section” to their comments. This psychological/structural trickery exploits the model’s tendency to follow the most recent or “authoritative” instruction, overriding its safety training. This leads the agent to treat the attacker’s instructions as high-priority, causing it to output the GEMINI_API_KEY directly into a public-facing comment.
GitHub Copilot Agent
The most sophisticated exploit was demonstrated against the GitHub Copilot Agent. While previous attacks were relatively “loud,” this exploit utilized an invisible payload hidden within HTML comments inside a GitHub issue, making it invisible to human reviewers but perfectly legible to the agent’s Markdown parser.

When a developer assigns a task to Copilot based on the infected issue, the agent parses the hidden HTML and executes a command to pipe the process list through base64 before committing the result to a new PR. This attack was particularly notable for successfully bypassing three critical security layers:
- Environment Filtering: While Copilot attempts to scrub sensitive variables from its direct bash subprocess, the parent Node.js and MCP (Model Context Protocol) processes retain the full environment. By running
ps auxeww, the attacker can read the unfiltered environment of the parent process. - Secret Scanning: GitHub’s secret scanning API looks for known patterns (like
ghs_). By encoding the stolen data inbase64, the attacker renders the data unrecognizable to standard scanners. - Network Firewall: Traditional egress filtering often blocks unknown outbound connections. However, since the agent requires
GitHub.comaccess for its job, the attacker uses a standardgit pushto exfiltrate the data via the repository itself, effectively using a trusted channel as a covert one.
The Architectural Crisis in AI Autonomy
These vulnerabilities are not merely “bugs” that can be patched with better prompting; they represent an inherent architectural conflict in modern AI deployment.
To be useful, AI agents must possess two things: high-level permissions (access to secrets, Git, and shell execution) and high-level context (the ability to read PRs and issues). However, the “context” required for their function is essentially unvetted, untrusted user input.
As long as the biological intelligence (the developer) and the artificial intelligence (the agent) share the same workspace, and as long as agents process unverified data with administrative privileges, the risk of indirect prompt injection will remain a critical threat to the software supply chain.