AI agents are moving from chat windows into software delivery pipelines. That shift can make development faster, but Aikido Security warns it also changes the risk profile for enterprise teams using GitHub and GitLab workflows.
The concern is direct: when an AI agent reads repository content, it may treat malicious text as an instruction. If that agent also has access to tools that can run commands or edit code, a hidden prompt can become more than a nuisance.
Where the AI agent risk appears
According to Aikido Security, the issue affects workflows that connect AI agents to GitHub and GitLab. The tools named in the report include Gemini CLI, Claude Code, OpenAI Codex, and GitHub AI Inference.
The risk comes from the normal material these systems are expected to process. Issues, pull requests, and commits often contain untrusted text. In a human-only workflow, that text is read, reviewed, and interpreted by people. In an AI-assisted workflow, the same text may be inserted into a model prompt.
That is where prompt injection becomes dangerous. Attackers can place hidden instructions inside repository activity. When the AI agent later receives that content, it may interpret the injected text as a command instead of treating it as data.
Why prompt injection is more serious inside development tools
Prompt injection is not just a question of whether a model gives a bad answer. In a development workflow, the agent may be connected to practical capabilities. Aikido Security points to agents that can run shell commands or modify repositories.
That combination raises the stakes. If a model follows a malicious instruction, the outcome may involve leaked secrets or altered workflows. The attack path does not depend on a visible request from a trusted user. It can begin with content placed where the agent is already expected to look.
This makes GitHub and GitLab workflows a particularly sensitive setting for AI agents. Repositories are full of operational context, code changes, configuration details, and review discussions. The more an agent is allowed to read and act on that context, the more carefully its inputs and permissions need to be controlled.
What Aikido Security says it found
Aikido Security says its tests showed the risk affected at least five Fortune 500 companies. The source does not name those companies, but the number matters because it shows the concern is not limited to experimental setups or small projects.
The report also says Google patched the issue in its Gemini CLI repo within four days. That response suggests the problem was concrete enough to require a fix, not just a theoretical concern about AI behavior.
Aikido Security also published open search rules to help organizations secure their pipelines. Those rules are intended to make it easier for teams to look for exposed patterns in their own environments.
How teams can reduce exposure
The recommendations in the source are practical and narrow. Aikido Security advises organizations to limit the tools available to AI agents, validate all inputs, and avoid direct execution of AI outputs.
Those measures address the core failure mode. If an agent can see untrusted text, teams should assume that text may contain instructions. If an agent can take action, teams should reduce what it can do without review.
- Limit tools: Give AI agents only the capabilities they need for the workflow.
- Validate inputs: Treat issues, pull requests, and commits as content that may carry hidden instructions.
- Avoid direct execution: Do not let AI-generated outputs move straight into command execution without safeguards.
These steps do not remove the usefulness of AI agents in software development. They make the boundary clearer between reading repository content and acting on it. That boundary is essential when the same system can interpret language and perform operations in a repo.
The bigger lesson for enterprise AI adoption
The Aikido Security warning highlights a broader point about AI agents in enterprise environments. The risk is not only in the model. It is in the connection between the model, the data it reads, and the permissions it receives.
GitHub and GitLab workflows are built around collaboration, and collaboration means accepting input from many places. AI agents add a new interpreter inside that flow. If that interpreter cannot reliably separate instructions from hostile content, enterprises need controls around what it can access and execute.
For teams adopting Gemini CLI, Claude Code, OpenAI Codex, GitHub AI Inference, or similar tools, the message is straightforward. AI agents should be treated as powerful automation components, not just assistants. Their access, inputs, and outputs need the same security scrutiny as any other system that can touch code, secrets, or workflows.