A public issue could trick GitHub Agentic Workflows into exposing private repository content, according to a technical analysis by Noma Security. The company said the GitLost technique worked against a workflow with read access across an organization’s repositories and caused a private README to be pasted into a public comment.
KEY FACTS
- Technique GitLost uses indirect prompt injection through a public issue.
- Access The workflow had read access to private repositories in the organization.
- Impact A private repository README was exposed in a public comment.
- Scope The issue required no stolen credentials and no access to private repos.
GitHub Agentic Workflows, which are in public preview, let organizations assign AI agents to read issues and pull requests and respond on their own. In the test case, the workflow woke up when an issue was assigned, read the message and then posted the private text publicly.
The report said the malicious issue was disguised as a routine request and that a one-word change, adding “Additionally,” was enough to help the instruction slip past the product’s guardrail. GitHub says its system includes sandboxing, read-only tokens by default, input cleaning and a threat-detection step before output is posted.
The disclosure places the flaw in the category of indirect prompt injection, where an AI agent cannot reliably distinguish owner instructions from text written by an attacker. Researchers said the issue matters because the agent is not just chatting, but acting with credentials that can reach data the attacker cannot see.
Similar attacks have been reported against other AI coding tools and GitHub-connected agents in recent months, suggesting the main risk comes from combining untrusted public input, private data access and a channel to publish output.
WHY IT MATTERS
The findings show that organizations using AI agents with broad repository access can expose private material through normal public activity. Limiting token scope, restricting who the agent responds to and reviewing public-facing output can reduce the risk, but the report says the deeper problem is architectural.

