GitHub Actions AI Agent Prompt Injection

PR text is no longer just text

AI review bots make pull requests feel more alive. They summarize diffs, find vulnerable patterns, and leave comments in places a tired human reviewer might miss. The security twist is that PR titles, issue bodies, comments, and review text are now part of the agent's operating environment.

If an attacker can control that text, and the agent has access to tools or secrets, the comment stream becomes a control plane.

The risky shape

The dangerous pattern is not “AI exists in CI.” It is this combination:

• The workflow reads attacker-controlled GitHub text.
• The text is inserted into an agent prompt.
• The agent has repository context, write access, API keys, OIDC trust, or shell-adjacent tools.
• The workflow is triggered automatically or by a maintainer who has not re-reviewed the latest attacker-controlled fields.

That turns a normal CI review into a privilege bridge.

Defensive defaults

Security teams using AI review actions should treat them like production automation, not like a chatbot sitting in the corner.

• Run AI review only after external contributor approval.
• Pin action versions and review workflow changes like code.
• Keep tokens read-only unless a write path is absolutely necessary.
• Do not pass secrets to analysis jobs that process untrusted PR text.
• Snapshot PR metadata at approval time, then prevent late title/body swaps from changing what the agent sees.
• Keep audit logs for agent prompts, tool calls, and generated comments.

The useful mental model

Classic CI risk asks: “Can untrusted code run?” Agentic CI adds another question: “Can untrusted text convince a trusted tool to run?”

That second question is easier to miss because it does not look like code execution at the beginning. It looks like a helpful review comment.

Source note

This post is based on the official Claude Code Security Reviewer repository, John Stawinski's write-up on prompt injection to RCE in Claude Code Action, and SecurityWeek's April 16, 2026 coverage of Comment and Control attacks against AI code agents.