AI agents are rapidly being embedded into CI/CD pipelines to triage issues, review pull requests, and automate development workflows. When those agents run with repository write access, shell execution, and privileged tokens, a new attack surface emerges.
Our team uncovered a vulnerability pattern in real-world GitHub Actions workflows, including Google’s Gemini CLI integration, where prompt injection allowed untrusted input to influence privileged automation. By embedding malicious instructions inside issue titles or pull request descriptions, attackers could trigger shell commands, access secrets, and manipulate repository state through the AI agent itself.
This exposed a structural flaw in how AI agents are integrated into CI systems. When untrusted text is combined with high-privilege tooling, the agent effectively becomes a command interpreter.
In this session, we break down:

• How prompt injection leads to tool invocation inside CI
• Why AI agents amplify trust boundary mistakes
• The full exploitation chain from issue text to shell access
• Architectural controls to prevent similar failures

We conclude with practical engineering guidance: isolating privileges, constraining tool access, separating trust boundaries, and designing CI systems that remain secure even with embedded AI.
AI is becoming part of build infrastructure. Security architecture must evolve with it.