โ† Back to blog

Researchers Tricked GitHub's AI Agent Into Leaking Private Repos With a Single Issue

โญ Featured

Researchers Tricked GitHub's AI Agent Into Leaking Private Repos With a Single Issue

Security researchers at Noma Labs just published something every AI agent builder should read twice. They found a vulnerability โ€” nicknamed GitLost โ€” in GitHub's Agentic Workflows that let an unauthenticated attacker leak the contents of an organization's private repositories. The attack required no credentials, no exploit code, and no special access. Just a public GitHub issue with the right words in it.

How the Attack Actually Worked

Here's the part that should make anyone building with AI agents sit up: the attacker didn't hack anything in the traditional sense. They opened an issue in a public repository that belonged to the same organization as the private repos they wanted. Buried in that issue was a set of instructions written to look like a legitimate task.

When GitHub's AI agent โ€” running on Claude or GitHub Copilot โ€” picked up that issue as part of its normal workflow, it read the embedded instructions and treated them as commands to follow. Those commands told it to go read private repositories and post the contents back somewhere the attacker could see them. The agent complied.

The Root Cause: Agents Can't Tell Instructions From Data

This is the same failure mode security researchers have been warning about for a while: prompt injection. The agent had no reliable way to distinguish "content a user wrote that happens to look like instructions" from "instructions the system actually wants it to follow." Anything in an issue, a comment, or a file was potentially trusted as if a human operator had typed it directly into the chat.

Noma Labs also found that GitHub's existing safety guardrails could be bypassed with something almost comically simple โ€” adding the word "Additionally" before the malicious instruction was enough to slip past the filter in some cases. That's not a sophisticated jailbreak. That's a reminder that keyword-based defenses against prompt injection are fragile by nature.

Why This Matters Beyond GitHub

This isn't really a story about one company's bug. Every AI agent that reads content from the outside world โ€” issues, emails, web pages, Slack messages, PDFs โ€” faces the exact same structural problem. If the agent has broad permissions and no separation between "trusted instructions from the system" and "untrusted content it's processing," an attacker just needs to get their text in front of the agent.

Noma Labs' fix recommendations are the same ones the security community has been repeating for two years now: restrict agents to the minimum permissions they actually need, and treat anything sourced from user-controllable content โ€” issues, PRs, comments โ€” as data to be summarized, never as commands to be executed.

What This Means If You Use OpenClaw

OpenClaw agents are built around the same principle Noma Labs is pointing at: scope matters more than capability. An agent that can do everything is also an agent that can be tricked into doing everything an attacker wants.

When you set up tools and skills in OpenClaw, you're defining exactly what your agent is allowed to touch โ€” which accounts, which repos, which APIs. That's not a limitation bolted on after the fact; it's the design. The fewer standing permissions an agent has, the smaller the blast radius when it encounters content it shouldn't fully trust โ€” whether that's a suspicious GitHub issue, a scraped web page, or an inbound email.

The Bigger Picture

GitLost is a clean, concrete demonstration of a problem that's going to keep showing up as more companies wire AI agents into their existing tools. The agents are getting more capable faster than the permission models around them are catching up. The lesson isn't "don't use AI agents" โ€” it's "know exactly what yours can touch, and keep that list as short as possible."

If you're building or running agents of your own, this is a good week to double-check what permissions they're actually holding โ€” not what you think you gave them, but what they can actually reach.

Start your free trial โ†’