TaintAWI: Detecting Agent Workflow Injection Attacks in GitHub Actions

This article introduces TaintAWI—the first tool to systematically study Agent Workflow Injection (AWI) vulnerabilities in GitHub Actions. Using taint analysis, the tool identified 519 potential vulnerabilities in 13,392 workflows, of which 343 are zero-day vulnerabilities, with a precision rate of 95.6%. The study reveals the core mechanisms and practical impacts of AWI attacks, proposes defense recommendations, and fills the gap in the intersection of AI security and DevSecOps.

As a popular CI/CD platform, GitHub Actions is widely used to deploy LLM-based agents for tasks like issue classification and PR review to improve efficiency. However, the combination of AI capabilities and CI/CD automation creates new security attack surfaces. This article focuses on the Agent Workflow Injection (AWI) threat, which differs from traditional code injection—it indirectly controls behavior by manipulating the agent's input context, making it more stealthy.

AWI is a workflow-level injection flaw that manipulates agent behavior using GitHub event contexts (e.g., issue content, PR descriptions). The study identifies two modes:

1. Prompt-to-Agent (P2A)：Untrusted content directly enters the agent's prompt—similar to prompt injection but in a CI/CD context;
2. Prompt-to-Script (P2S)：Attackers influence the agent's generated output, which propagates to subsequent script execution.

TaintAWI is based on taint analysis technology, tracking data flows from untrusted event contexts to agent prompts or sensitive workflow sinks. Its construction steps are:

• Analyze 1,033 real AI-assisted Actions to extract AWI taint specifications (prompt boundaries, derived outputs, etc.);
• Parse workflows into an intermediate representation, identifying data sources (untrusted inputs) and sinks (agent calls, script executions);
• Use static analysis to track data flow paths and mark potential vulnerabilities.

The research team used TaintAWI to scan 13,392 workflows across 10,792 repositories, finding 519 potential vulnerabilities—496 of which are exploitable (95.6% precision) and 343 are zero-day vulnerabilities. They disclosed 187 high-priority cases to maintainers, 24 of which have been confirmed fixed. Many popular open-source projects (including repositories with tens of thousands of stars) are at risk of AWI.

The impact of AWI vulnerabilities depends on the agent's permissions. Severe scenarios include:

• Code Tampering: Inducing the agent to approve malicious modifications or generate backdoor patches;
• Credential Theft: Leaking environment variables and keys to the attacker's server;
• Workflow Hijacking: Modifying configurations to implant persistent malicious automation;
• Supply Chain Poisoning: Pushing malicious code to package managers via automatic releases. Attacks are stealthy and hard to distinguish with traditional monitoring.

Based on the research, the authors propose defense recommendations:

1. Input Isolation: Use clear boundary markers to separate user content from system instructions, and adopt structured prompts;
2. Least Privilege: Configure workflows with minimal necessary permissions, and require manual confirmation for critical operations;
3. Output Validation: Sanitize agent-generated outputs and restrict content types;
4. Audit and Monitoring: Establish behavior logs and monitor abnormal patterns;
5. Security Testing: Incorporate AWI testing into CI/CD evaluations and use static analysis tools to detect risks.

This study is the first to systematically reveal the security risks of agent workflows, filling the gap in the intersection of AI security and DevSecOps. Future directions include: expanding to platforms like GitLab CI, researching multi-agent collaborative attacks, and developing runtime defense mechanisms. For teams adopting AI automation, agent workflows should be included in their security threat models.