AI Agent Runtime Flaw Leaked Secrets Across Three Vendors
Researchers at Johns Hopkins University discovered a prompt injection vulnerability affecting AI coding agents from Anthropic, Google, and Microsoft that allowed attackers to extract API keys through a single malicious instruction in a GitHub pull request title. The vulnerability, called Comment and Control, exploited a gap between what vendors documented in their system cards and what runtime protections actually existed. All three vendors patched quietly with minimal bounties, and the disclosure reveals significant inconsistencies in how AI agent security is documented and tested across the industry.
Researchers at Johns Hopkins University discovered a prompt injection vulnerability affecting AI coding agents from Anthropic, Google, and Microsoft that allowed attackers to extract API keys through a single malicious instruction in a GitHub pull request title. The vulnerability, called Comment and Control, exploited a gap between what vendors documented in their system cards and what runtime protections actually existed. All three vendors patched quietly with minimal bounties, and the disclosure reveals significant inconsistencies in how AI agent security is documented and tested across the industry.
- A single prompt injection in a PR title extracted API keys from Claude Code Security Review, Gemini CLI Action, and GitHub Copilot Agent simultaneously
- Anthropic's own system card acknowledged Claude Code Security Review is not hardened against prompt injection, yet the feature remained exposed until patched
- Bounties were disproportionately low relative to CVSS 9.4 Critical rating: Anthropic paid $100, Google $1,337, GitHub $500
- System cards from Anthropic, OpenAI, and Google reveal major gaps in documenting agent-runtime security versus model-layer protections
This vulnerability exposes a critical blind spot in AI agent security: vendors are documenting model-layer safety while leaving runtime execution largely unprotected. The fact that the same attack worked across three major platforms simultaneously suggests the industry lacks standardized runtime hardening practices. System cards, intended as transparency tools, are revealing what they do not cover rather than providing assurance.
- System cards are insufficient as security assurance documents when they omit runtime and tool-execution threat models entirely
- The attack surface for AI agents extends beyond model boundaries into GitHub Actions configuration and environment variable exposure, requiring operational controls vendors are not documenting
- Prompt injection at the agent runtime layer bypasses model-layer safeguards, suggesting vendors need separate red teaming and eval frameworks for agent execution versus model behavior
Our Briefing
Weekly signal. No noise. Built for founders, operators, and AI-curious professionals.
No spam. Unsubscribe any time.
