Demystifying and Detecting Agentic Workflow Injection Vulnerabilities in GitHub Actions

TL;DR

This paper systematically studies agentic workflow injection vulnerabilities in GitHub Actions, introduces a taint-analysis tool, and reports numerous real-world exploitable security flaws affecting AI-assisted workflows.

Contribution

It is the first comprehensive analysis of AWI vulnerabilities in GitHub Actions, including a novel taint-tracking tool and extensive real-world vulnerability findings.

Findings

Identified 519 potential AWI vulnerabilities in real-world workflows.

Confirmed 496 vulnerabilities as exploitable, including 343 zero-day cases.

Developed TaintAWI, a taint-analysis tool for tracking untrusted data flows.

Abstract

GitHub Actions is increasingly used to deploy LLM-based agents for repository-centric tasks such as issue triage, pull-request review, code modification, and release assistance. These agentic workflows extend traditional CI/CD automation with agentic capabilities but also create a new injection surface. In this paper, we introduce Agentic Workflow Injection (AWI), a workflow-level injection flaw where untrusted GitHub event context, such as issue bodies, pull-request descriptions, or comments, is incorporated into agent prompts or agent-consumed inputs and converted into attacker-influenced behavior through agent tools or downstream workflow logic. We identify two core AWI patterns: Prompt-to-Agent (P2A), where untrusted content reaches an agent prompt boundary, and Prompt-to-Script (P2S), where attacker influence propagates through model- or agent-derived outputs into later scripts. We present the first systematic study of AWI in GitHub Actions. We characterize 1,033 real-world AI-assisted actions and extract AWI-specific taint specifications, including prompt boundaries, derived outputs, agentic capabilities, and access-control interfaces. Based on these specifications, we design TaintAWI, a taint-analysis tool that tracks flows from untrusted event context to agent prompt inputs and security-sensitive workflow sinks. Applying TaintAWI to 13,392 real-world agentic workflows from 10,792 repositories, we report 519 potential AWI vulnerabilities, of which 496 are confirmed exploitable under our threat model, yielding a precision of 95.6%. Among them, 343 are previously unknown zero-day vulnerabilities. We prioritized disclosure for 187 zero-day cases, received 26 maintainer responses, and 24 cases have been accepted or fixed at the time of writing.