ZeroTrace cybersecurity hardware and software
Back to Blog
Agent Security

AI Review Bots Turn PR Text Into a Control Plane

Prompt injection in GitHub Actions is not theoretical anymore. PR titles, comments, and issue text can become instructions for agents with repository secrets.

HTML and code displayed on a computer monitor
April 17, 20262 min read317 words

Image:Photo via Pexels/Pexels License

AI SecurityPrompt InjectionGitHub ActionsCI Security

PR text is no longer just text

AI review bots make pull requests feel more alive. They summarize diffs, find vulnerable patterns, and leave comments in places a tired human reviewer might miss. The security twist is that PR titles, issue bodies, comments, and review text are now part of the agent's operating environment.

If an attacker can control that text, and the agent has access to tools or secrets, the comment stream becomes a control plane.

The risky shape

The dangerous pattern is not “AI exists in CI.” It is this combination:

  • The workflow reads attacker-controlled GitHub text.
  • The text is inserted into an agent prompt.
  • The agent has repository context, write access, API keys, OIDC trust, or shell-adjacent tools.
  • The workflow is triggered automatically or by a maintainer who has not re-reviewed the latest attacker-controlled fields.

That turns a normal CI review into a privilege bridge.

Defensive defaults

Security teams using AI review actions should treat them like production automation, not like a chatbot sitting in the corner.

  • Run AI review only after external contributor approval.
  • Pin action versions and review workflow changes like code.
  • Keep tokens read-only unless a write path is absolutely necessary.
  • Do not pass secrets to analysis jobs that process untrusted PR text.
  • Snapshot PR metadata at approval time, then prevent late title/body swaps from changing what the agent sees.
  • Keep audit logs for agent prompts, tool calls, and generated comments.

The useful mental model

Classic CI risk asks: “Can untrusted code run?” Agentic CI adds another question: “Can untrusted text convince a trusted tool to run?”

That second question is easier to miss because it does not look like code execution at the beginning. It looks like a helpful review comment.

Source note

This post is based on the official Claude Code Security Reviewer repository, John Stawinski's write-up on prompt injection to RCE in Claude Code Action, and SecurityWeek's April 16, 2026 coverage of Comment and Control attacks against AI code agents.

Keep Reading

All Posts
Close-up of highlighted source code on a monitor
AI Security/2 min read

Claude Code's Source-Map Leak Is a Release Pipeline Lesson

The interesting part is not gossip about leaked code. It is how one packaged artifact can expose architecture, roadmap clues, and operational hygiene gaps.

Person in a hood using a phone and laptop in a dark room
Developer Threats/2 min read

Fake Claude Code Leaks Are Becoming Developer Malware Bait

When a famous tool leaks, curiosity becomes the lure. The defensive play is boring provenance, clean downloads, and treating unofficial mirrors as hostile.

Hooded silhouette in front of colorful code
AI Security/2 min read

Workspace Trust Is the New Git Hooks Problem

Agentic coding tools read repository configuration before they do real work. That makes workspace trust a first-class control, not a welcome dialog.

Command Palette

Search for a command to run...