JAW Framework Reveals: Security Vulnerabilities of Agentic Workflows and Context-Aware Attacks

Researchers have conducted the first systematic study on the security risks of Agentic workflows in automation platforms like GitHub Actions and n8n. They proposed the JAW framework, which successfully hijacked 4714 GitHub workflows using context-aware evolution technology, revealing the potential threats of LLM Agents in automated workflows. This article will discuss aspects including background, methodology, evidence, attack scenarios, remediation progress, and recommendations.

With the improvement of Large Language Model (LLM) capabilities, platforms like GitHub Actions and n8n have integrated Agentic workflows (allowing LLM Agents to participate in tasks such as code review and data synchronization). While bringing convenience to developers, new security risks have emerged: attackers can manipulate Agents to perform malicious operations (credential theft, arbitrary command execution) by constructing inputs (e.g., GitHub Issue comments). This is the first systematic academic study on such risks.

The research team designed the JAW (Jailbreaking Agentic Workflows) framework, which hijacks Agentic workflows through a "context-aware evolution" method. The core is to evolve inputs under the guidance of context derived from hybrid program analysis to achieve hijacking. JAW generates context through three key analysis techniques: 1. Static path feasibility analysis (identifying feasible Agent invocation paths and input constraints); 2. Dynamic prompt traceability analysis (tracing the processing chain from input to LLM context); 3. Runtime capability analysis (identifying executable operations and limitations of Agents).

Large-scale evaluation results: 4714 GitHub workflows can be hijacked, 8 n8n templates have vulnerabilities, affecting 15 widely used GitHub Actions, including official Actions used by millions of developers such as GitHub's official Claude Code Action, Google Gemini CLI Action, Alibaba Qwen CLI Action, and Cursor CLI Action.

Attackers can achieve the following by constructing malicious Issue comments: 1. Credential leakage (inducing Agents to read API keys, access tokens, etc. from leaked environment variables); 2. Arbitrary command execution (prompt injection to make Agents execute system commands, potentially taking control of servers); 3. Data theft (using Agents' file access capabilities to steal sensitive code or configurations from repositories).

The research team conducted responsible disclosure and received confirmation and fixes from multiple vendors: GitHub confirmed and fixed related vulnerabilities, Google acknowledged the Gemini CLI Action issue, and Anthropic fixed the Claude Code Action security problem. The team also received bug bounty rewards from multiple vendors.

Recommendations for Developers: 1. Strictly validate and sanitize inputs entering Agent workflows; 2. Configure minimal necessary permissions for Agents; 3. Enable detailed audit logs; 4. Run Agents in an isolated environment. Recommendations for Platforms: 1. Consider prompt injection protection at the architecture level; 2. Provide secure sandboxes for Agent operations; 3. Popularize security risks to users.

The JAW framework study reveals significant security risks in Agentic workflows. As LLM Agents are widely used in automated workflows, security issues are becoming increasingly important. This study provides the first systematic analysis framework, sounding an alarm for the industry: equal attention should be paid to security protection when pursuing the convenience of automation. Paper link: http://arxiv.org/abs/2605.11229v1