GitLost: How We Tricked GitHub’s AI Agent into Leaking Private Repos

14 points by hoistbypetard


unlobito

I'm not sure this makes a ton of sense, as noted by a commenter on the PoC issue.

Their agentic-issue-to-pr.lock.yml uses a secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN, so, a GitHub Personal Access Token.

If you're gonna give a non-deterministic system a PAT with access to private data … yeah :)

[ Octo STS type schemes are the safer way to do this if ${{ secrets.GITHUB_TOKEN }} isn't enough / you need cross-repo permissions, but github/roadmap#1271 sounds cool ]