YOUR AI CODE REVIEWER CAN BE HACKED WITH A GITHUB ISSUE

PromptPwnd + Clinejection

AI-powered GitHub Actions such as Claude Code Actions, Gemini CLI, and OpenAI Codex process untrusted user input from issue bodies and PR descriptions. Attackers have discovered that embedding prompt injection payloads in these inputs can hijack the AI agent, causing it to leak secrets, publish malicious packages, or exfiltrate credentials.

Two attacks, one pattern

The common pattern

In both cases, untrusted input from a GitHub issue body or PR description flowed directly into an AI agent prompt. The AI agent treated the injected instructions as legitimate commands. The attacker never needed repository write access, a compromised account, or a zero-day vulnerability. They only needed to open an issue.

Why existing defenses fail

Traditional CI/CD security tools scan for secrets in code, not for prompt injection in issue bodies. SAST tools do not analyze AI action configurations. Code review bots do not validate the allowed_non_write_users field or scan instruction files for hidden directives. The attack surface is entirely new and unmonitored by conventional tooling.

How to defend

• Validate AI action configurations — Ensure allowed_non_write_users is explicitly restricted.
• Scan instruction files — Check CLAUDE.md, .cursorrules, and similar files for injected directives.
• Restrict secret access — AI agents should never have access to publish tokens or deployment credentials.
• Monitor outbound requests — Flag any unexpected network calls from AI action runners.

How OpenSyber detects this

OpenSyber's GitHub Actions AI Prompt Guard skill detects prompt injection patterns in issue bodies, PR descriptions, and comment threads before they reach an AI agent. It validates AI action configurations and flags overly permissive access controls.