Summary
austenstone/copilot-cli is a GitHub Action wrapper around GitHub Copilot CLI. The Action itself does not implement any built-in access control over who may trigger it, and its default configuration exposes a broad agent capability surface, including allow-all-tools: true. When repository workflows pass untrusted issue, pull request, or comment content into the prompt input, that content can influence an autonomous Copilot agent with tool access and GitHub side-effect capability. In common usage patterns, this creates an Agentic Workflow Injection (AWI) risk where attacker-controlled text can alter the agent’s plan, requested tools, and GitHub operations.
Details
The action is designed as a generic wrapper and accepts a raw prompt input:
action.yml defines a required prompt input.- The Action does not perform any actor validation, repository permission checks, or user allowlisting.
- The Action enables autonomous behavior by default:
autopilot: trueno-ask-user: trueallow-all-tools: true
- The wrapper also adds
/ as an accessible directory via --add-dir /, expanding the local file-read surface beyond the checked-out workspace.
Relevant source-level observations:
action.yml exposes prompt directly as an input.action.yml defaults allow-all-tools to true.- The run script builds Copilot CLI arguments and appends
--allow-all-tools when enabled.
As a result, if a workflow uses this Action on events such as issue_comment, pull_request, or pull_request_review_comment and interpolates untrusted user-controlled content into prompt, an attacker may be able to:
- Override or distort the intended task.
- Cause the agent to enumerate or invoke additional tools.
- Cause the agent to read broader repository or runner context than intended.
- Influence GitHub-side actions such as reactions, comments, issue/PR updates, or any other enabled MCP / repository operation.
This is not just a prompt-integrity problem. Because the target is an autonomous coding agent with default tool access, the impact extends to agent behavior and side effects.
PoC
I validated this issue by posting an issue comment and observing that the agent in .github/workflows/copilot-comment.yml could be influenced by prompt-injection content in the comment body.
Reference:
#59 (comment)
The PoC comment asked the agent to deviate from its original task and instead enumerate the tools and capabilities available in the session. This demonstrates that attacker-controlled issue-comment content can reach the agent layer and influence agent behavior in a realistic workflow using this Action.
Impact
This issue is not limited to manipulating Copilot’s reply. Because the Action runs an autonomous agent and defaults to allow-all-tools: true, successful prompt injection can cause the agent to use tools to read local files, access broader runner context, perform GitHub-side actions, fetch remote resources, and execute arbitrary shell commands within the workflow’s privileges.
Suggested Remediation
- Add built-in trigger-side access controls similar to user allowlists / trusted-author checks.
- Change insecure defaults:
- default
allow-all-tools to false
- avoid
--add-dir / by default
- Encourage or require explicit least-privilege tool and URL configuration.
- Add documentation warning that untrusted issue/PR/comment content must not be passed directly into
prompt without workflow-level trust checks and output-side guardrails.
Reported By
Security PRIDE @security-pride
Summary
austenstone/copilot-cliis a GitHub Action wrapper around GitHub Copilot CLI. The Action itself does not implement any built-in access control over who may trigger it, and its default configuration exposes a broad agent capability surface, includingallow-all-tools: true. When repository workflows pass untrusted issue, pull request, or comment content into thepromptinput, that content can influence an autonomous Copilot agent with tool access and GitHub side-effect capability. In common usage patterns, this creates an Agentic Workflow Injection (AWI) risk where attacker-controlled text can alter the agent’s plan, requested tools, and GitHub operations.Details
The action is designed as a generic wrapper and accepts a raw
promptinput:action.ymldefines a requiredpromptinput.autopilot: trueno-ask-user: trueallow-all-tools: true/as an accessible directory via--add-dir /, expanding the local file-read surface beyond the checked-out workspace.Relevant source-level observations:
action.ymlexposespromptdirectly as an input.action.ymldefaultsallow-all-toolstotrue.--allow-all-toolswhen enabled.As a result, if a workflow uses this Action on events such as
issue_comment,pull_request, orpull_request_review_commentand interpolates untrusted user-controlled content intoprompt, an attacker may be able to:This is not just a prompt-integrity problem. Because the target is an autonomous coding agent with default tool access, the impact extends to agent behavior and side effects.
PoC
I validated this issue by posting an issue comment and observing that the agent in
.github/workflows/copilot-comment.ymlcould be influenced by prompt-injection content in the comment body.Reference:
#59 (comment)
The PoC comment asked the agent to deviate from its original task and instead enumerate the tools and capabilities available in the session. This demonstrates that attacker-controlled issue-comment content can reach the agent layer and influence agent behavior in a realistic workflow using this Action.
Impact
This issue is not limited to manipulating Copilot’s reply. Because the Action runs an autonomous agent and defaults to
allow-all-tools: true, successful prompt injection can cause the agent to use tools to read local files, access broader runner context, perform GitHub-side actions, fetch remote resources, and execute arbitrary shell commands within the workflow’s privileges.Suggested Remediation
allow-all-toolstofalse--add-dir /by defaultpromptwithout workflow-level trust checks and output-side guardrails.Reported By
Security PRIDE @security-pride