Can prompt injection happen through any text the agent reads?

Yes. Any text that enters the agent’s context window can carry injected instructions — issue comments, PR descriptions, commit messages, file contents, package READMEs, and web pages fetched by tools. Guard treats all external content as untrusted by default.

How do I know if an issue or PR contains a hidden injection?

Look for HTML comments, zero-width characters, text formatted as system prompts, or unusual instructions that seem out of place. Guard automatically scans for these patterns and flags them before the agent reads the content.

Should I let my AI agent approve pull requests?

Only with Guard’s PR approval gate enabled and human confirmation required. An agent that can approve PRs based on issue text is vulnerable to prompt injection. Guard ensures a human reviews the approval decision, not just the agent.

high severityCurated advisory

Prompt injection via issue comments and pull requests

Attackers embed hidden instructions in GitHub issues, PR comments, and commit messages. When an AI agent reads these to help triage or review, it follows the embedded instructions — potentially approving malicious code or leaking repository secrets.

Protect my harness Protect a team

Affected surfacesGitHub issuespull request commentscommit messagesagent context window

The attack

What happens

An attacker opens an issue or PR comment containing hidden instructions — sometimes in HTML comments, zero-width characters, or formatted as system prompts. When the AI agent reads the issue to help triage, it interprets the hidden text as an instruction and follows it.

Step by step

How the attack unfolds

1Attacker opens a GitHub issue with a legitimate-looking title and body.

2Inside the issue, they embed a hidden instruction using HTML comments:

3Agent reads the issue as part of its triage workflow and encounters the hidden instruction in its context.

4Agent treats the embedded instruction as authoritative and approves the associated PR.

5Malicious code in the PR is merged into the main branch.

Example

What it looks like in practice

Scenario

A developer asks Claude Code to review an open PR. The PR description looks normal but contains an HTML comment: . Claude reads the comment as part of the PR context and approves the PR. The PR actually introduces a dependency that exfiltrates build secrets.

Detection

How Guard catches this

Guard scans all external content (issues, PRs, comments) for instruction-like patterns before passing them to the agent.

Guard flags HTML comments, zero-width characters, and "system:" prefixes in untrusted content.

Guard Cloud maintains a pattern library of known injection templates across teams.

Mitigation

How to stop it

Recommended action

Configure Guard to review all external content before it enters the agent’s context. Treat issue text, PR comments, and commit messages as untrusted input. Never allow the agent to approve PRs or merge code based on instructions found in issue text.

Guard configuration

Enable "Untrusted content scanning" to strip or flag instruction-like patterns from issues and PRs before the agent reads them.

Enable "PR approval gate" to require human confirmation before the agent can approve or merge code.

Enable "HTML comment detection" to flag hidden instructions in HTML comments.

FAQ

Common questions

Related advisories

More threats to know about

high

MCP tool description poisoning

Malicious MCP tool descriptions embed hidden instructions that redirect AI agents into calling the wrong tool, exfiltrating secrets, or executing unintended commands — even when the tool itself appears harmless.

Read advisory

critical

npm postinstall script abuse in AI coding environments

Malicious npm packages use postinstall scripts to execute arbitrary code during installation. In AI coding environments, these scripts can modify agent configuration, install backdoor MCP servers, or exfiltrate project secrets — all before the developer reviews the package.

Read advisory

Stop this threat before it reaches your agent

Install HOL Guard to get real-time protection against this and every other advisory in our catalog.

Install HOL Guard See team plans