So this is pretty crazy. Back in August we reported to Google a new class of vulnerability which is using prompt injection on GitHub Action workflows.

Because all good vulnerabilities have a cute name we are calling it PromptPwnd

This occus when you are using GitHub Actions and GitLab pipelines that integrate AI agents like Gemini CLI, Claude Code Actions, OpenAI Codex Actions, and GitHub AI Inference.

What we found (high level):

• Untrusted user input (issue text, PR descriptions, commit messages) is being passed directly into AI prompts
• AI agents often have access to privileged tools (e.g., gh issue edit, shell commands)
• Combining the two allows prompt injection → unintended privileged actions
• This pattern appeared in at least 6 Fortune 500 companies, including Google
• Google’s Gemini CLI repo was affected and patched within 4 days of disclosure
• We confirmed real, exploitable proof-of-concept scenarios

The underlying pattern:
Untrusted user input → injected into AI prompt → AI executes privileged tools → secrets leaked or workflows modified

Example of a vulnerable workflow snippet:

prompt: | Review the issue: "${{ github.event.issue.body }}" 

How to check if you're affected:

• Run Opengrep (we published open-source rules targeting this pattern) ttps://github.com/AikidoSec/opengrep-rules
• Or use Aikido’s CI/CD scanning

Recommended mitigations:

• Restrict what tools AI agents can call
• Don’t inject untrusted text into prompts (sanitize if unavoidable)
• Treat all AI output as untrusted
• Use GitHub token IP restrictions to reduce blast radius

If you’re experimenting with AI in CI/CD, this is a new attack surface worth auditing.
Link to full research: https://www.aikido.dev/blog/promptpwnd-github-actions-ai-agents