GitHub recently launched Agentic Workflows — GitHub Actions combined with an AI agent backed by Claude or GitHub Copilot, writing workflows in plain Markdown. Noma Labs' first question after launch was the obvious one: what happens when the agent reads something it shouldn't trust?
The answer: it leaks private repository contents as a public comment. No credentials, no exploit code, no inside access required.
"The agent's context window is also its attack surface. Any content the agent reads — whether issues, pull requests, comments, or files — can be weaponized if the agent treats that content as instructional input."
What actually happened
Noma's researchers crafted a GitHub Issue that looked like a plausible VP Sales request — a normal-looking feature ask with hidden instructions embedded in the body. When GitHub's automation assigned the issue, it triggered an Agentic Workflow configured to:






