You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implement structured sanitization of GitHub event contexts (issue bodies, PR descriptions, commit messages, comments) before they are interpolated into agent prompts. The PromptPwnd vulnerability class — confirmed affecting Fortune 500 firms via CI/CD agentic pipelines using Claude Code, Gemini CLI, and GitHub Actions — demonstrates that untrusted event data injected into prompts can hijack agent behavior, exfiltrate secrets, and manipulate workflow outputs.
Market Signal
Aikido Security's PromptPwnd disclosure (May 2026) confirmed prompt injection attacks on CI/CD agentic pipelines affecting Fortune 500 companies. Researchers introduced the Agentic Workflow Injection (AWI) taxonomy in a peer-reviewed paper (arxiv 2605.07135), classifying event-context injection as a distinct vulnerability class. OWASP Agentic Top 10 (ASI01: Agent Goal Hijacking, ASI04: Supply Chain Vulnerabilities) now provides a formal framework. GitHub's own agentic workflow public preview (June 11, 2026) ships with a dedicated threat detection scanner and working-tree sanitization — acknowledging the threat at the platform level.
User Signal
The project already has agent-shield.yml for prompt-level protection and push-protection.sh for secret detection, but neither addresses event-context injection — the specific vector PromptPwnd exploits. Issues #619 (self-host deadlock) and #617 (agent-authored PR friction) show that agents process untrusted event data (issue bodies, PR descriptions) to make decisions. The dev-lead agent reads issue content to determine intent; the pr-review agent reads PR descriptions for context. Both paths are AWI-vulnerable.
Technical Opportunity
The project's shell-script architecture (scripts/lib/) provides natural insertion points for a sanitization layer. A sanitize_event_context() function in scripts/lib/ could strip known injection patterns (hidden instructions, base64-encoded payloads, markdown-embedded directives) before event data reaches agent prompts. engine.sh's tiered model routing means sanitization cost is amortized across the triage→deep→audit pipeline. The existing review-cycle.sh already assembles prompts from event data — the sanitization hook goes there.
Assessment
Dimension
Score
Rationale
Feasibility
high
Shell-based sanitization function in existing scripts/lib/; no architectural changes needed
Impact
high
Addresses a confirmed exploit class (PromptPwnd) affecting Fortune 500 firms using the same tools
Urgency
high
Active exploitation in the wild; OWASP + academic taxonomy formalizing the threat
Adversarial Review
Strongest objection: The project's agent-shield.yml already handles prompt-level security. Adding another layer creates complexity and may break legitimate use of issue content in prompts (e.g., when an issue describes a code pattern that looks like an injection).
Rebuttal: Agent-shield addresses a different threat surface: preventing agents from modifying security-critical files. AWI specifically targets the injection of malicious content FROM event contexts INTO prompts — a vector agent-shield doesn't cover. The sanitization is additive, not duplicative. Legitimate code patterns in issue bodies can be preserved through a structured allow-list approach (sanitize directives and hidden instructions, preserve code blocks). The PromptPwnd research confirmed this exploit class affects the exact tools and patterns used here.
Suggested Next Step
Audit all paths where event-context data (issue body, PR description, commit message, comment body) flows into agent prompts in scripts/lib/review-cycle.sh and the dev-lead intent pipeline.
Implement a sanitize_event_context() function in scripts/lib/ with configurable strictness levels.
Add BATS tests with known AWI payloads from the PromptPwnd disclosure.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
Implement structured sanitization of GitHub event contexts (issue bodies, PR descriptions, commit messages, comments) before they are interpolated into agent prompts. The PromptPwnd vulnerability class — confirmed affecting Fortune 500 firms via CI/CD agentic pipelines using Claude Code, Gemini CLI, and GitHub Actions — demonstrates that untrusted event data injected into prompts can hijack agent behavior, exfiltrate secrets, and manipulate workflow outputs.
Market Signal
Aikido Security's PromptPwnd disclosure (May 2026) confirmed prompt injection attacks on CI/CD agentic pipelines affecting Fortune 500 companies. Researchers introduced the Agentic Workflow Injection (AWI) taxonomy in a peer-reviewed paper (arxiv 2605.07135), classifying event-context injection as a distinct vulnerability class. OWASP Agentic Top 10 (ASI01: Agent Goal Hijacking, ASI04: Supply Chain Vulnerabilities) now provides a formal framework. GitHub's own agentic workflow public preview (June 11, 2026) ships with a dedicated threat detection scanner and working-tree sanitization — acknowledging the threat at the platform level.
User Signal
The project already has
agent-shield.ymlfor prompt-level protection andpush-protection.shfor secret detection, but neither addresses event-context injection — the specific vector PromptPwnd exploits. Issues #619 (self-host deadlock) and #617 (agent-authored PR friction) show that agents process untrusted event data (issue bodies, PR descriptions) to make decisions. The dev-lead agent reads issue content to determine intent; the pr-review agent reads PR descriptions for context. Both paths are AWI-vulnerable.Technical Opportunity
The project's shell-script architecture (
scripts/lib/) provides natural insertion points for a sanitization layer. Asanitize_event_context()function inscripts/lib/could strip known injection patterns (hidden instructions, base64-encoded payloads, markdown-embedded directives) before event data reaches agent prompts.engine.sh's tiered model routing means sanitization cost is amortized across the triage→deep→audit pipeline. The existingreview-cycle.shalready assembles prompts from event data — the sanitization hook goes there.Assessment
scripts/lib/; no architectural changes neededAdversarial Review
Strongest objection: The project's
agent-shield.ymlalready handles prompt-level security. Adding another layer creates complexity and may break legitimate use of issue content in prompts (e.g., when an issue describes a code pattern that looks like an injection).Rebuttal: Agent-shield addresses a different threat surface: preventing agents from modifying security-critical files. AWI specifically targets the injection of malicious content FROM event contexts INTO prompts — a vector agent-shield doesn't cover. The sanitization is additive, not duplicative. Legitimate code patterns in issue bodies can be preserved through a structured allow-list approach (sanitize directives and hidden instructions, preserve code blocks). The PromptPwnd research confirmed this exploit class affects the exact tools and patterns used here.
Suggested Next Step
scripts/lib/review-cycle.shand the dev-lead intent pipeline.sanitize_event_context()function inscripts/lib/with configurable strictness levels.Beta Was this translation helpful? Give feedback.
All reactions